[solved] suddenly ispconfig won't login

hi @till + others,

thanks for latest update. prior updating (about 2 days before) i am no longer able to login to ispconfig with the usual url

Code:

https://server1.example.com:8080

After the username and password entry, i am getting redirected to the same page again.

However I am able to login with ..

Code:

https://xx.xx.xxx.xxx:8080

I never installed anything fancy or tweaked the config. some major changes i did was

1) ahrais way of installing letsencrypt.
2) configured evasive
3) installed webftp pydio based on this tutorial. (That's not working as expected but thats a different issue. Will come to that later.)
4) i have added clients, resellers, websites to my account. Thats all.

I just updated to the ispconfig latest release and the problem persists. I am feeling so scared because i already migrated all my clients website to the new ispconfig panel and still could not even figure out where to start.

please help me troubleshoot.

cheers.

 

First thing to do is clear your web browser cache, then try to login again.

If that fails, try to use the following to login

https://yourserver_ipaddress:8080/

Edit...oops sorry didnt see youcan login with ip address.forget the ipaddress part...but you should still clear your web browser cache and cookies!

Also, login loopbacks can also be caused by
1. a corrupt .htaccess file
2. Cloudflare dns caching problems...disable cloudflare
3. Perhaps your ssl certificate is having issues since upgrading ispconfig. Reissue a new ssl certificate for the domain name and see what happens
4. Finally(and this should be number 1 not 4), what do error logs say?

 

hi @adamjedgar,

Please note the time difference between evasive (past) and ispconfig (now) logs

ispconfig/auth.log

Code:

Successful login for user 'admin' from XX.XXX.XXX.XX at 2017-11-11 00:27:32

apache2/error.log

Code:

Fri Nov 10 22:23:22.951126 2017] [evasive20:error] [pid 24247] [client XX.XXX.XXX.XX:24971] client denied by server configuration: /var/www/ispconfig/sites/ajax_get_json.php, referer: https:
//XX.XX.XXX.XXX:8080/

I do not know if evasive is the cultprit.

 

I dont know much about the evasive apache mod...other than i think its related to helping prevent brute force attacks?

The evasive mod config file is usually found in

/etc/apache2/conf.d/mod-evasive

If you have cleared your browser caches, and are certain your ssl cert is ok, and its not a dns issue, and your url is ok in config file, then this evasive mod configuration pathway is better left to till or someone with a lot better understanding of that mod than me.

I have seen ubuntu users problem solve this kind of login redirect loop problem by creating a new user account and seeing if it will login using url....the thought being its possibly user profile related. Do you have a different account you can try with domain name url?

 

>> I WAS COMBINING INDIVIDUAL LOGS LIKE THIS AND HENCE MISSED A DETAILED VIEW OF EACH LOG

Code:

sudo multitail -c daemon.log debug syslog apache2/error.log auth.log fail2ban.log mail.info php7.0-fpm.log syslog mail.log pure-ftpd/transfer.log ispconfig/auth.log --mergeall ispconfig/http/*/error.log

THEN I STARTED LOOKING AT EACH LOGS INDIVIDUALLY, THERE WERE MANY ERRORS THROWN AT VARIOUS TIMES BUT NOTHING CONCRETE PERTAINING TO THE CURRENT TIME.

 

i had disabled mod_evasive and restarted apache and tried to login. But still the problem persists.

 

Have you tried creating another user profile/account (accessing ispconfig via ip address) and logging in to the https://server.domain.com:8080 using that new account?

If the above fails to make any difference, try
1. You have tried using a different browser?
2. Disable fail2ban temporarily and try to login. If this doesn't work then,
3. Remove ssl certificate and try login via http://server1.yourdomain.com:8080
4. A drastic measure would be to move to a new server with a brand new install (which i have read of people doing)

 

Finally I got the ispconfig panel working again. This is what I did.

1) logged into the ispconfig panel through ip address
2) Sites->Domain->server1.example.com
2a) unchecked SSI
2b) unchecked SuEXEC
2c) changed autosubdomain from "www" to "none"
2d) changed PHP from "FastCGI" to "Mod-PHP"
3) Sites->Domain->Redirect
3a) unchecked Rewrite HTTP to HTTPS
4) Sites->Domain->Options
4a) Apache Directives
Removed apache directive added for webftp, This is unnecessary because there is already a provision to mention the link under configuration.

Restarted apache and the problem got solved

 

hi @adamjedgar
many thanks for your support. I just noticed your reply. prior solving the problem
i tried another account and the result is same. so i guessed its something to do with redirect. also the login is successful as per ispconfig/auth.log. then fail2ban log does not have my ip in the banned list besides i am able to login with the ip. i have not enabled SSL through the UI but through script, so i dont have anything showing up in the UI.

thanks once again.

 

if i understand correctly, changing over to DSO (mod_php) is fast, however there are some disadvantages running this option...
1. insecure...all php files are run under the "nobody" apache user
2. Permissions will need to be set for every php file manually (because running as the "nobody" apache user)
3. Any CMS websites (such as Wordpress) must be monitored carefully and tightly secured within the CMS itself (keep plugins and CMS updated, and run security plugins like wordfence etc)

An advantage of DSO is that it responds to the use of an .htaccess file (whereas my understanding is that suPHP requires changes to php.ini instead)

------------------------------------------------------------------------------------

My understanding is that FastCGI is supposed to already combine the best of both suPHP and DSO (mod_php)...surely it would be better to use this option? I think this would require suEXEC to be enabled however?

I am wondering if you should change everything you did back to what it was before, then just change one thing at a time until your problem is resolved rather than a whole list of things like you have done. My reason for saying this is that surely your problem has not been caused by all of the things in the list of changes you made?

Anyway, glad you have a working login again.

 

@adamjedgar,

Ans: When i made the changes, I was thinking I did a virtual host site wide changes and not server wide changes. So as long as the Server runs securely, its fine. We are not going to install any additional software except for what is recommended in the original Setup instruction and Pydio (WebFTP). Also from the below log entry ....... it seems ... that I still have lot of work to do !?!@#

ispconfig/httpd/server1.example.com/error.log

Code:

[Wed Nov 01 01:10:09.831085 2017] [cgi:error] [pid 834] [client xx.xxx.xxx.xxx:20252] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/admin
[Wed Nov 01 01:10:09.831235 2017] [cgi:error] [pid 834] [client xx.xxx.xxx.xxx:20252] End of script output before headers: admin
[Wed Nov 01 01:10:18.973251 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] AH02812: attempt to invoke directory as script: /usr/lib/cgi-bin/mailman/
[Wed Nov 01 01:10:23.604126 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/admin
[Wed Nov 01 01:10:23.604250 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] End of script output before headers: admin
[Wed Nov 01 01:11:43.986040 2017] [cgi:error] [pid 9785] [client xx.xxx.xxx.xxx:20285] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/listinfo
[Wed Nov 01 01:11:43.986215 2017] [cgi:error] [pid 9785] [client xx.xxx.xxx.xxx:20285] End of script output before headers: listinfo

 

didnt you disable suEXEC?

perhaps thats the reason why its throwing this latest series of errors?

I wish i knew more about these kinds of things, i will be interested in reading the resolutions to your problems as i for one will learn something from it.

 

hi @adjamjedgar,
nope. the errors were triggered on the 1st of Nov. I think its triggerred whenever i open Mailman.

Thats why even after the problem is resolved, i post it here, so it will be useful for others.

 

I have stumbled across the following as one possible solution from Stack website...This did not fix the problem for the O.P on the Stack website, but is worth checking just the same.

change the permissions to 755 for all your files and enjoy !
The problem is the un-appropriate permissions

Another possible solution is ownership...perhaps there is an ongoing ownership issue that needs to be fixed? Another post in a forum mentions the following (obviously the following will need a bit of rehashing to suit your actual needs ...ie the mailman directory perhaps?)
chown -R testsite:testsite </path/to/directory-or-binary>

As an after thought...i notice the following in your error message....in particular the "cgi-bin" directory. I wonder if that has anything to do with it? (i dont know anything about this, just asking the question i cant imagine the directory really matters unless there is a config file issue pointing somewhere else by default?)
attempt to invoke directory as script: /usr/lib/cgi-bin/mailman/

 

hi adamjedgar,

sorry for belated reply. actually i am in no mood to explore many things. to be honest, i dont need mailman, so if it nags me i will better delete it.

 

Thanks for the information provided.

 

hi,

i am getting a misconfiguration error 500 when i try to open my ispconfig control panel

Code:

https://server1.example.com:8080

please show me some way to start troubleshooting.

i ran out of disk space yesterday and did some cleanups

 

Have a look in the error.log files. Have you restarted your server after cleanup? Did you only clean up some "user" files or also programs/etc?
Do normal websites work? If yes, could it be that you have removed your system php version?

 

Hi,

There is nothing in the error log. I did not touch the /use dir.
I cleaned up the extra kernel and some packages.
Other sites are working but not the ones that have mysite.com, subdom.mysite.com, server.mysite.com where mysite.com is my primary domain.