Login key logged out after seconds of inactivity

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
I am using a SaaS solution to login into my directadmin server. So i cannot change the code on how it logs into the server. However i think this is a DA problem because once the user is authorized they are logged out just after seconds of inactivity. If they keep browsing DA they stay logged in.

Where can i change the inactivity timeout?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Hello,

By default a session timeout is 60 minutes, and it is set on an Administrator Settings page.

I believe the reason of your users are logged out just after seconds of inactivity is different. Check logs under /var/log/directadmin/ to find possible clues.
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
Thank you for your suggestions, I've monitored the logs while performing a login. And it got me closer to a assumption of cause.

/var/log/directadmin/login.log
2020:02:12-09:45:07: '145.131.00.000' successful Basic Auth/API login to 'user' via 'admin' after 1 attempts
2020:02:12-09:38:27: '90.145.00.000' successful login to 'user' after 1 attempts
2020:02:12-09:39:27: '90.145.00.000' 1 failed login attempts. Account 'user'
2020:02:12-09:39:27: '90.145.00.000' 1 failed login attempts. Account 'user'
/var/log/directadmin/error.log
2020:02:12-09:42:28: Referer port (443) does not match DA's (2222): https://domain.com
2020:02:12-09:42:28: Referer check failed for 90.145.00.000

/usr/local/directadmin/conf/directadmin.conf
check_referer=0
service directadmin restart

The first issue that I fixed was disabling the check_referer, however it looks like it still causes a issue.
I've installed a certificate on my directadmin server and it looks like the login is performed from 2222 whilst the session is kept from 443.

The strangest thing is that users can browse without problems but if the user is inactive and the session timeout of 60s is hit, it creates a "failed login attempt" as seen above in login.log.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Do you have the same with enhanced skin enabled for the affected user?

I mean try and modify skin to enhanced for an user and then try to login as the user. Will the issue persist?
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
Thank you for your suggestions zEitEr,

When I change the skin to enhanced the user will be logged off after a change of page after the 60s time out window. The log displays the same failed login error:

2020:02:12-11:17:52: '90.145.00.000' 1 failed login attempts. Account 'user'
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
What do you see?

Code:
/usr/local/directadmin/directadmin c | grep ^check_referer
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
That command gives the following response:
[root@ruby directadmin]# /usr/local/directadmin/directadmin c | grep ^check_referer
check_referer=0
check_referer_port=0

My full DirectAdmin config is as following (I've change the server address with ruby):
Code:
add_userdb_quota=1
addip=/usr/local/directadmin/scripts/addip
admin_helper=admin.site-helper.com
admindir=./data/admin
apache_public_html=0
apache_ver=2.0
apachecert=/etc/httpd/conf/ssl.crt/server.crt
apacheconf=/etc/httpd/conf/extra/directadmin-vhosts.conf
apacheips=/etc/httpd/conf/ips.conf
apachekey=/etc/httpd/conf/ssl.key/server.key
apachelogdir=/var/log/httpd/domains
apachemimetypes=/etc/mime.types
brute_dos_count=100
brute_force_log_scanner=1
brute_force_scan_apache_logs=2
brute_force_time_limit=120
brutecount=20
bruteforce=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
carootcert=/usr/local/directadmin/conf/carootcert.pem
check_partitions=2
check_subdomain_owner=1
check_referer=0
check_referer_port=0
clear_blacklist_ip_time=30
clear_brute_log_entry_time=4
clear_brute_log_time=24
cloud_cache=0
default_private_html_link=1
demodocsroot=./data/skins/evolution
dkim=2
dns_ttl=1
docsroot=./data/skins/evolution
dovecot=1
emailspoolvirtual=/var/spool/virtual
emailvirtual=/etc/virtual
enable_ssl_sni=1
enforce_difficult_passwords=0
ethernet_dev=eth0
exempt_local_block=1
frontpage_on=0
ftpconfig=/etc/proftpd.conf
ftppasswd=/etc/proftpd.passwd
ftpvhosts=/etc/proftpd.vhosts.conf
hide_brute_force_notifications=1
ip_brutecount=100
letsencrypt=1
license=/usr/local/directadmin/conf/license.key
litespeed=0
log_rotate_size=5
logdir=/var/log/directadmin
logger=/usr/local/directadmin/logger
loghostname=0
login_history=10
login_keys_notify_on_creation=0
logs_to_keep=5
lost_password=0
mail_sni=1
max_per_email_send_limit=-1
max_username_length=10
maxfilesize=104857600
mysql_detect_correct_methods=1
mysql_use_new_user_methods=1
mysqlconf=/usr/local/directadmin/conf/mysql.conf
namedconfig=/etc/named.conf
nameddir=/var/named
nginx=0
nginx_proxy=1
ns1=ns0.ruby.nl
ns2=ns1.ruby.nl
numservers=10
openlitespeed=0
owsadm=/usr/local/frontpage/version5.0/bin/owsadm.exe
partition_usage_threshold=95
php_fpm_max_children_default=10
port=2222
pureftp=1
purge_spam_days=0
quota_partition=/
removeip=/usr/local/directadmin/scripts/removeip
reseller_helper=reseller.site-helper.com
secure_access_group=access
servername=ruby.nl
serverpath=/usr/local/directadmin
session_minutes=60
skinsdir=./data/skins
sshdconfig=/etc/ssh/sshd_config
ssl=1
ssl_redirect_host=ruby.nl
taskqueue=/usr/local/directadmin/data/task.queue
templates=/usr/local/directadmin/data/templates
ticketsdir=/usr/local/directadmin/data/tickets
timeout=60
tmpdir=../../../home/tmp
unblock_brute_ip_time=0
unified_ftp_password_file=1
use_xfs_quota=1
user_brutecount=100
user_can_set_email_limit=1
user_helper=www.site-helper.com
userdata=./data/users
webmail_link=roundcube
zip=1
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Probably there is a bug then, and you might need to contact directaadmin developers. Open a ticket with them and see what they say.

If the referrer port check is disabled, then I would expect directadmin does not alert about Referer port (443) does not match DA's (2222)
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
Probably there is a bug then, and you might need to contact directaadmin developers. Open a ticket with them and see what they say.

If the referrer port check is disabled, then I would expect directadmin does not alert about Referer port (443) does not match DA's (2222)
My apologies for the unclarity, since I set these options to 0 the message didn't show up in the log. But the user does receive a failed login:
2020:02:12-11:17:52: '90.145.00.000' 1 failed login attempts. Account 'user'

Thank you very much for all the help so far.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
So, first an user logins fine, then after 60 seconds the user gets disconnected with the error
2020:02:12-11:17:52: '90.145.00.000' 1 failed login attempts. Account 'user'
Correct? And is the IP 90.145.00.000 user's or server's?

If the second, then try:

Code:
cd /usr/local/directadmin
./directadmin set x_forwarded_from_ip 90.145.00.000
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
So, first an user logins fine, then after 60 seconds the user gets disconnected with the error
2020:02:12-11:17:52: '90.145.00.000' 1 failed login attempts. Account 'user'
Correct? And is the IP 90.145.00.000 user's or server's?

If the second, then try:

Code:
cd /usr/local/directadmin
./directadmin set x_forwarded_from_ip 90.145.00.000
It's the user's IP address, they are authorized to use the key next to the server's localhost and ip address.
I've tried adding the originating(login from server) IP to x_forwarded_from_ip and I ran a test with the server IP after that. Both result in the same "login failed" error after 60s

note that after each change I also ran service directadmin restart

The SaaS is served from IP 145.131.00.00

The authorized IP's to use the key are
127.0.0.1
145.131.0.000 (the DirectAdmin server)
90.145.00.000 (the User)

Could it be that the initial creation of the key, which is from the IP 145.131.00.00 is missing from the Authorized IP's? (which would be odd as the time out is after 60 on the users IP 90.145.00.000)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
The IP from which you created the key should not impact its usage. Probably you need to check all other possible directadmin logs for other clues, see which requests are send from the user's IP. Could it be that somehow it calls CMD_LOGOUT?
 

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
It's interesting to see that the login key isn't used in the requests after a certain point (details from 2020-Feb-12.log)

Code:
12/02/2020:12:54:35     90.145.00.000 GET /CMD_JSON_LANG HTTP/1.1       user (login key: xxxxxxxx)
12/02/2020:12:55:05     90.145.00.000 GET /CMD_JSON_LANG HTTP/1.1       user
12/02/2020:12:55:05     90.145.00.000 GET / HTTP/1.1    user
12/02/2020:12:55:05     90.145.00.000 GET /assets/css/login.css HTTP/1.1        login assets
12/02/2020:12:55:05     90.145.00.000 GET /assets/login.js HTTP/1.1     login assets
12/02/2020:12:55:06     90.145.00.000 GET /images/background.jpg HTTP/1.1       login image
I think I am at a point where I need to create a ticket with DirectAdmin, once I have more details I will share them here.
Thank you very much for you help zEitEr
 
Top