#4511 IP ACL bug

[kurczaq]

IP access control does not work when DNS name is in this format:

dslb-178-007-042-019.178.007.pools.vodafone-ip.de

and IP access list has an entry:
*.vodafone-ip.de

Neither this one works:
....vodafone-ip.de

Only putting numerical IP block works:
178.0.0.0/12

In contrast, another IP resolving to sub.domain.com works when put into IP ACL:
*.domain.com

[kurczaq]

sorry it has eaten the widlcards.

I wrote (without the spaces):

"Neither this one works:
* . * . * . * . vodafone-ip.de"

[Jamie Cameron]

Are you sure that IPs that clients are connecting from can be reverse-resolved in DNS to a vodafone-ip.de domain? You can test this by running the command "host 178.x.x.x" to see what it ouputs.

[kurczaq]

Hi

yes absolutely sure.

www2:~ # host 92.74.23.156
156.23.74.92.in-addr.arpa domain name pointer dslb-092-074-023-156.092.074.pools.vodafone-ip.de.
www2:~ # host dslb-092-074-023-156.092.074.pools.vodafone-ip.de.
dslb-092-074-023-156.092.074.pools.vodafone-ip.de has address 92.74.23.156
www2:~ #

www2:~ # grep dslb /var/webmin/miniserv.error

[24/Nov/2014:21:20:47 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:20:49 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:24:06 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:24:17 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:24:18 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:24:18 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:26:48 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:26:48 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:34:53 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:34:55 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:34:56 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:34:57 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:39:39 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:39:40 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:41:11 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:41:13 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:41:15 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:21:41:15 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:37 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:41 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:45 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:57 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[25/Nov/2014:06:03:52 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:16 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:17 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:18 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:18 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:20 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:21 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:23 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:07:36:06 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:16:55:37 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:16:55:39 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:16:55:39 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:18:27:31 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:18:39:57 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:18:39:59 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:18:40:11 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:20:31:16 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:21:58:05 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:21:58:05 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:21:58:06 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
www2:~ #

[kurczaq]

Hi

yes absolutely sure.

www2:~ # host 92.74.23.156
156.23.74.92.in-addr.arpa domain name pointer dslb-092-074-023-156.092.074.pools.vodafone-ip.de.
www2:~ # host dslb-092-074-023-156.092.074.pools.vodafone-ip.de.
dslb-092-074-023-156.092.074.pools.vodafone-ip.de has address 92.74.23.156
www2:~ #

[kurczaq]

www2:~ # grep dslb /var/webmin/miniserv.error
[24/Nov/2014:18:22:11 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
.... and so on
[25/Nov/2014:06:04:16 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
... and so on!

[kurczaq]

I guess it does not recognize that it is a domain, if there are numbers. (edit)

I guess the bug is here (but do not know perl)

ip_match(remoteip, localip, [match]+)

Checks an IP address against a list of IPs, networks and networks/masks

sub ip_match
{

[Jamie Cameron]

Do you have logging of reverse-resolved IPs enabled? You can check for this by looking for the line loghost=1 in /etc/webmin/miniserv.conf

[kurczaq]

I have /etc/webmin/miniserv.conf:

logclf=0
logclear=0
loghost=1

it is logging:
[24/Nov/2014:22:24:41 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:45 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[24/Nov/2014:22:24:57 +0100] [dslb-092-074-023-156.092.074.pools.vodafone-ip.de] Access denied for 92.74.23.156
[25/Nov/2014:06:03:52 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:16 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19
[25/Nov/2014:06:04:17 +0100] [dslb-178-007-042-019.178.007.pools.vodafone-ip.de] Access denied for 178.7.42.19

etc

[Jamie Cameron]

That looks OK. Could you also post the allow= and deny= lines from your miniserv.conf file?

[kurczaq]

allow=127.0.0.1 10.0.0.0/8 *.vodafone-ip.de 92.74.0.0/15 178.0.0.0/12 LOCAL

there is no deny= line

I also tried to use tcp wrapper option and put *.vodafone-ip.de into hosts.allow => not working!

[Jamie Cameron]

Is your system perhaps behind a proxy like Squid or Apache in reverse-proxy mode?

[kurczaq]

nope no proxies. Just VM on SNAT/DNAT (but this is not an issue here).

[kurczaq]

as I explained

if I use another domain to login (e.g. from another VPS with fixed IP and correctly resolving (r)DNS), like sub.domain.com, then IP ACL works when I put *.domain.com into the ACL list.

Just these vodafone hosts DO NOT WORK.
[dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 88.64.182.206

only putting the IP block (e.g. 88.64.0.0/16) works, but DOES NOT WORK NEITHER ONE:
.vodafone-ip.de
...*.vodafone-ip.de

I tried the tcpwrapper option but not working either:
I have this in my hosts.allow:

sshd : .dip0.t-ipconnect.de .pools.vodafone-ip.de 10.0.0.0/8 : ALLOW
webmin : .pools.vodafone-ip.de .dip0.t-ipconnect.de 10.0.0.0/8 : ALLOW

sshd IS WORKING, webmin is NOT working. Any idea?

no problem to log in to ssh from 088-064-182-206.088.064.pools.vodafone-ip.de

but webmin no way:

[28/Nov/2014:19:00:34 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 88.64.182.206

etc

[Jamie Cameron]

What if you try allowing the specific hostname you are connecting from, like dslb-088-064-182-206.088.064.pools.vodafone-ip.de ?

[kurczaq]

good question. cannot check it now. in fact I do admin stuff for a client and he is complaining (so I am putting now his IP blocks so he can login) - I do not have the IP myself that is not working (mine works fine).
I would need to schedule a session with the client so we can try (he complains each day and then I see the logs, the IPs he had).

[kurczaq]

today it did not work:

[p5B2F4D73.dip0.t-ipconnect.de] Access denied for 91.47.77.115

while I have *.t-ipconnect.de in the webmin ACL and .dip0.t-ipconnect.de in hosts.allow

seems to me it does not like sub.sub.sub.domain.com or so. Or it misinterprets numbers inside of the domain name as IP address. There must be a bug in your matching rules.

[kurczaq]

weird.
I reconfigured local dns that is responsable for internal network to be able to play with the domains (as I have no access to client ip that is failing), I can use internal supervisor server IP 10.1.1.1 to login into webmin (but private network should not break anything here).

So I added a zone for 10.1.1.0/24 to resolve my test IP back and forth (I have that citytalks.de domain):

www2:~ # host dslb-088-064-182-206.088.064.pools.citytalks.de.
dslb-088-064-182-206.088.064.pools.citytalks.de has address 10.1.1.1
www2:~ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer dslb-088-064-182-206.088.064.pools.citytalks.de.
www2:~ #

now webmin lets me in (from 10.1.1.1) if I add an ACL *.citytalks.de ! weird! Without that ACL access denied.

let me try with fake .vodafone zone

[kurczaq]

changed my internal 10.1.1.1 zone to resolve to vodafone-ip.de. Result:

www2:~ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer dslb-088-064-182-206.088.064.pools.vodafone-ip.de.
www2:~ # host dslb-088-064-182-206.088.064.pools.vodafone-ip.de.
dslb-088-064-182-206.088.064.pools.vodafone-ip.de has address 10.1.1.1
www2:~ #

webmin says:

[29/Nov/2014:03:28:13 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1
[29/Nov/2014:03:28:13 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1
[29/Nov/2014:03:29:09 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1
[29/Nov/2014:03:29:09 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1

---

so to summarize:
if 10.1.1.1 resolves over local named to xxx.domain.com, .domain.com works in ACL
if 10.1.1.1 resolves over local named to xxx.domain-xx.com, .domain.com DOES NOT WORK in ACL!
I guess the - in domain name is the issue!

[kurczaq]

in the ACL I had:

*.pools.vodafone-ip.de
*.dip0.t-ipconnect.de
*.pools.citytalks.de

(without the space, it eats the stars here)

[Jamie Cameron]

Ah .. yes, that would explain it. Thanks for finding this! The issue is that the domain name part is being treated as a regexp when doing the ACL comparison, and a dash is a special character. The following patch (which will be included in the next release) should address this issue : https://github.com/webmin/webmin/commit/f9ea811781d485de18e66da4a6ac4d94ad366a98

[kurczaq]

I patched as you said:
/usr/libexec/webmin/miniserv.pl

the code piece now reads:

        elsif ($_[$i] =~ /^\*(\S+)$/) {
                # Compare with hostname regexp
                # $mismatch = 1 if ($hn !~ /$1$/);
                $mismatch = 1 if ($hn !~ /^.*\Q$1\E$/i);
                }
        elsif ($_[$i] eq 'LOCAL' && &check_ipaddress($_[1])) {
                # Compare with local IPv4 network
                local @lo = split(/\./, $_[1]);
                if ($lo[0] < 128) {

(commented the old line out should be ok)

webmin, restarted. However still not working today, see in the logs:

[30/Nov/2014:11:46:35 +0100] [p5B2F541E.dip0.t-ipconnect.de] Access denied for 91.47.84.30
[30/Nov/2014:11:46:39 +0100] [p5B2F541E.dip0.t-ipconnect.de] Access denied for 91.47.84.30
[30/Nov/2014:12:09:20 +0100] [p5B2F541E.dip0.t-ipconnect.de] Access denied for 91.47.84.30
[30/Nov/2014:15:14:38 +0100] [p5B2F541E.dip0.t-ipconnect.de] Access denied for 91.47.84.30
[30/Nov/2014:16:33:29 +0100] [p5B2F541E.dip0.t-ipconnect.de] Access denied for 91.47.84.30

[kurczaq]

I setup back my fake dns zone for testing with 10.1.1.1:

[30/Nov/2014:19:13:31 +0100] Restarting
Pre-loaded WebminCore
[30/Nov/2014:19:13:33 +0100] miniserv.pl started
[30/Nov/2014:19:13:33 +0100] Using MD5 module Digest::MD5
[30/Nov/2014:19:13:33 +0100] PAM authentication enabled
[30/Nov/2014:19:13:33 +0100] UTMP logging enabled
[30/Nov/2014:19:13:42 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1
[30/Nov/2014:19:13:42 +0100] [dslb-088-064-182-206.088.064.pools.vodafone-ip.de] Access denied for 10.1.1.1

DNS fake zone working on the www:

www2:~ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer dslb-088-064-182-206.088.064.pools.vodafone-ip.de.
www2:~ # host dslb-088-064-182-206.088.064.pools.vodafone-ip.de.
dslb-088-064-182-206.088.064.pools.vodafone-ip.de has address 10.1.1.1
www2:~ # 

from minserv.conf:

allow=91.47.77.115 *.citytalks.de *.pools.vodafone-ip.de *.dip0.t-ipconnect.de
login_script=/etc/webmin/login.pl
logout_script=/etc/webmin/logout.pl
logclf=1
logclear=0
loghost=1

putting the IP (or IP/block) directly works.
It is witched!

[kurczaq]

cross check with the other domain (reconfig local named):

www2:~ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer dslb-088-064-182-206.088.064.pools.citytalks.de.
www2:~ # host dslb-088-064-182-206.088.064.pools.citytalks.de.
dslb-088-064-182-206.088.064.pools.citytalks.de has address 10.1.1.1
www2:~ #

restarting miniserv
[30/Nov/2014:19:23:38 +0100] Restarting
Pre-loaded WebminCore
[30/Nov/2014:19:23:41 +0100] miniserv.pl started
[30/Nov/2014:19:23:41 +0100] Using MD5 module Digest::MD5
[30/Nov/2014:19:23:41 +0100] PAM authentication enabled
[30/Nov/2014:19:23:41 +0100] UTMP logging enabled

2014-11-30T19:23:40.550864+01:00 www2 webmin[7056]: Webmin starting
2014-11-30T19:24:00.319967+01:00 www2 perl[7302]: pam_unix(webmin:session): session opened for user root by (uid=0)
2014-11-30T19:24:00.568645+01:00 www2 webmin[7302]: Successful login as root from dslb-088-064-182-206.088.064.pools.citytalks.de
2014-11-30T19:24:31.040775+01:00 www2 webmin[7330]: Logout by root from dslb-088-064-182-206.088.064.pools.citytalks.de

(+syslog).
Working when resolving 10.1.1.1 to dslb-088-064-182-206.088.064.pools.citytalks.de

wtf.... :(

[Jamie Cameron]

I just thought of another setting that may be relevant - try adding alwaysresolve=1 to /etc/webmin/miniserv.conf and then run /etc/webmin/restart