All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Clear password in Virtualmin log - why, and is it a security risk? (pretty sure of it)
I'm using Virtualmin 4.04 on CentOS 6.5 on my servers. My main servers has several scheduled backups setup. When I create new backups, the password for the FTP servers is replaced with ****, all looks great.
But today I did find all my login info to my backups servers in clear text in /var/webmin/webmin.log. When I setup Virtualmin I always use the "hashed password" setting, but still, in the webmin.log all login info (ftp server:password@username) is clear as daylight.
This can't be good? If anybody get access to my server and my logs, they can get all the important login info to my backup servers.
I have now created a script and a cron job deleting /var/webmin/webmin.log every minute.
But are I'm missing some important settings or something in Virtualmin/webmin allowing the FTP info for my backup servers to be written i clear text in the logfile?
I could not find any other username/passwords there, only the backup info.
Comments
The server has to store the FTP password somewhere. So if somebody can read all your files they can just as easily look in the configs as in the logs, so no, it's not a true security risk though not a very good idea either.
@MitchellRobert
Yea you're right. But since I use the "hashed password" option I was sure every password was hashed.
Storage of plaintext passwords for virtual servers and mailboxes can now be disabled on a per-template basis. Virtualmin will instead store only hashed passwords in multiple formats, **which prevents passwords from being compromised if the system is hacked**. This feature should ideally be enabled before any virtual servers have been created.Doesn't seen like a good idea to me I can't think of a good reason to have the password stored where it isn't necessary, in plain text. Gotta be a way to disable that I'm sure.
But how...thats the question.
Don't use any control panel.
Our installation(s) of webmin do not log cleartext passwords, (note: webmin, not virtualmin) , however, as you've pointed to a webmin log file; I thought it pertinent.
Yeah dont use a control panel, for what? It just brings more security issues as it helps you.
Contact the author and have him address it. I agree, that isn't good.
Disable logs? No good for debugging but I'll fix the passwords in log issue.
Yea, I will do that tomorrow. It's clearly a security issue.
I have to say that the only passwords I can find in the logs, is the info used in Scheduled backups. It list users created in virtualmin also (ftp user, e-mail users etc), but there is the passwords hashed.
As far as I'm concerned FTP does not have a feature where you can authenticate using a hash. Then still, if it truly was hashed then how would it end up plain text in the logs? ;-)
Here is a test I just did, so maybe people see it more clearly
I'm creating a scheduled backup in Virtualmin, and as you can see, my password is not in plain text here.
Here is the log, and as you can see on line 5 (marked with red) all info + password from the first page are in plain text.
Your password is nowhere hashed, it was entered in clear text and so will it be submitted and saved. The dots you are refering to are simply replacing the actual chars. This is just a html-form:
<input name="kennwort" type="password">. It's just a setting for the browser to replace the chars temporarily. It should just protect you from third persons having a look at your screen while you type. It's not designed to encrypt a string. It's simply for the actual non-visibility of the written chars. Yet, the string is transmitted to the server in clear text how it was entered.But is this normal,and safe?
FTP itself is unsafe by design. But the password-field in question is just a normal html-text-field. The only difference is that the visibility of the chars entered is temporarily changed to a replacing char.
See what the W3C wrote when they invented HTML 2.0 back in 1995.
Posted the issue at the webmin forum, so will see if I get any replies there. Strange that nobody here has seen this issue before, and have a quick solution for it. (and no, I will not uninstall Virtualmin/webmin).
When were using Virtualmin, I always set it up to use hashed passwords.
When testing for security holes, I would search for a known password and see if it was found anywhere on the file system and never got any result.
Are you sure you selected hashed passwords when setting Virtualmin up in the post installation script?
Yes, I always do that. And this issue is not on one server (there I could have forgotten to change the settings) but on all of my servers, and I have not forgot to set the setting I always use on so many servers.
You can see in this picture that when I create a new Virtualmin user, the passwords gets hashed, so thats correct.
But passwords from Scheduled backups is not hashed.
You should contact Virtualmin about this, and see what they have to say.
Back when I used webmin, the developers provided superb support through their mailing list... http://www.webmin.com/mailing.html