How Secure is Webmin?
I've been thinking about using a control-panel type utility for administering my Linux server, and have heard some good things about Webmin. However, how secure is it? Would I be opening another hole into my system by installing and running it? If not, what are the best ways to secure it?
By way of comparison, I'm presently loggin on via SSH and using the command line to administer by box. |
http://seclists.org/lists/security-b.../Oct/0338.html
http://www.google.com/search?hl=en&l...ty&btnG=Search the first link is sort of useful, but a google search (the second link) comes up with lots of info about webmin security vulnerabilites. you should read up on some of the results of the google search. |
Be sure to have the latest and secure version of the webmin software.
Use https access and make proper, custom SSL certificate for webmin (don't ever use the default one shipped with webmin distribution). If possible, limit access to webmin by firewall. And you should be safe. |
Don't know if it helps any but in addition to the above methods I also switch the port webmin runs on. It defaults to port 10000, switch it to whatever you like.
linux_terror |
it would be a good idea to not have webmin running all the time... just start it via ssh when you need it...
and if you don't actually need it, it's best to not use it at all... |
Quote:
|
I followed the instruction:
Install STunnel The program is installed as standard with many Linux distributions, or can be downloaded from www.stunnel.org and compiled for your system. Create a new tunnel Use Webmin's SSL Tunnels module to create a new tunnel on port 10001 called ssl-webmin that uses the Connect to remote host mode to connects to localhost port 10000 (assuming you are running Webmin on port 10000). The SSL certificate and key file option should be set to Use Webmin's cert, and all of the other options left as their defaults. Activate the tunnel Hit the Apply Changes button in the SSL Tunnels module to activate your new tunnel. Configure Webmin so that it knows about the SSL tunnel Added the line inetd_ssl=1 to /etc/webmin/miniserv.conf and run /etc/webmin/stop ; /etc/webmin/start. Login to Webmin in SSL mode You should now be able to connect to https://yourhostname:10001/ and login as normal. The old URL on port 10000 will no longer work properly. My config is as following: Service name TCP port Active? Tunnel destination ssl-webmin 10001 Yes Connect to host localhost.localdomain:10000 and I connecting with the router, opened the port 10001 for the stunnel. but it is not sucess!! What wrong I did? Thks |
All times are GMT -5. The time now is 10:26 PM. |