Koozali.org: home of the SME Server

Enable change password from the outside using user-password web interface

Offline Mar

  • ***
  • 73
  • +0/-0
Hello,
I would to ask if there is a way to change my password VIA web outside the LAN.
such as in case of travel or ...
Note: I am using SME 9.2
Thanks.
« Last Edit: March 15, 2019, 05:55:04 AM by Jean-Philippe Pialasse »

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Enble change password form out site VIA
« Reply #1 on: March 14, 2019, 12:12:33 PM »
Best way would be to use one vpn solution such as openvpn.

Alternative will be to open access to manager to the range of ip you might be.you can do so from the server manager itself.

Also a way would be using ssh. Connect as your user, and use the passwd command.


Offline Mar

  • ***
  • 73
  • +0/-0
Re: Enble change password form out site VIA
« Reply #2 on: March 14, 2019, 01:48:30 PM »
Thanks for your reply.
Yes I am using those ways you mentioned.
But I would like to enable my staff to do that and some of them are moving from location to another.
Can we do that like any other mail provider?

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Enble change password form out site VIA
« Reply #3 on: March 15, 2019, 05:51:57 AM »
well I might have a solution for you. But first 2 questions...

1- do you only need user-password or also server-manager and user-manager (and if only password, would it be an issue for you to open all the others as it would be by default when you add ip blocks to validfrom )?
2- are all your users concentrated in one or two countries ?

instead of opening access to IP block, you might be able to open access to countries, based on geoip2 maxmind database.

this could be a nice in between between giving access to your whole sensitives interfaces to the whole world and limiting it to your own country ( with the limit of the accuracy of the database of course)

Offline Mar

  • ***
  • 73
  • +0/-0
Thank for your reply.
I need user-password and vacation message.
If I can open access to countries so I can open for all IPs.
But how to do that?

Regards
Mohammad

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
If you donnot care to give free access to bruteforce all your accounts using user-manager, user-password and server manager to the whole world you can already do that :

Add 0.0.0.0/0.0.0.0 in server manager external access page.

This will however let all hachers in china, russia.... play with your server.  Do it at your own risks.

What i would suggest is more open this selectively to some ip or some countries.

First is already doable

Second i am working on it currently using new geoip maxmind db and apache module.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Enble change password form out site VIA
« Reply #6 on: March 16, 2019, 12:10:49 AM »
Can we do that like any other mail provider?

You are making the naive assumption that SME is 'just a mail provider'.

It isn't. You are not talking about just changing an email password, but user authentication to files/services etc.

That's why it is well protected because opening up access is very dangerous.

Think long and hard about this.

And Russian, Chinese etc use VPNs/Tor to disguise their locations, so GeoIP is not a perfect solution

Be careful....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Mar

  • ***
  • 73
  • +0/-0
Thanks for your reply
Of course I am planing to such thing to open it for DDoS from Russian, Chinese etc .
My idea if in some case I need to open it for short time may one hour then close it.
In case of events of some thing, this not happen very oven in my case I some time I need it.
However, I am not doing that since I am using SME.
Thanks.

Offline Mar

  • ***
  • 73
  • +0/-0
However.
For me even it is good to know how to and what are the disadvantages or the harmful effects of such thinks
Thank you.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Adding 0.0.0.0 as a Local Network in server-manager will allow anyone anywhere to access /user-manager -- but I'm pretty sure it also allows anyone anywhere to access:
* ibays using samba (allowing attacks on samba)
* printers using cups (allowing annoying waste of print resources if nothing else)
* squid (allowing people to browse the internet from your IP - with bandwidth and potential legal implications)

You can restrict remote users to /server-manager and /user-manager by adding Network "0.0.0.0" with Subnet mask "0.0.0.0" under "Remote Management" in Security->Remote access.

On my server, adding this entry threw an error in server-manager.  I ran these commands from a command prompt to make sure the config was activated:
Code: [Select]
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/admin-conf/httpd.conf
sv t httpd-e-smith
sv t httpd-admin

If you're going to expose server-manager to the world you should install Fail2ban.  Unless you plan to administer the server remotely using server-manager you may want to create some custom fail2ban rules that block any remote host that attempts to access /server-manager.

You may also want to look into a good IP blocklist such as Emerging Threats (but there isn't a SME howto for this at the moment).

[edit]grammar
« Last Edit: March 16, 2019, 02:54:31 PM by mmccarn »

Offline Mar

  • ***
  • 73
  • +0/-0
Thank you very much I got the point.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Probably just easier to add openvpn/l2tpd/ipsec for remote access.

Much more secure.

With l2tpd/ipsec (which isn't perfect but better than pptp) you can use user logins and control which users have remote access mainly from server-manager.

Openvpn is trickier with certificates, but more secure.

Ipsec can use passwords, rsa keys or certs but is trickier for client to server setups.

All are far better than just opening access
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation