LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How Secure is Webmin? (https://www.linuxquestions.org/questions/linux-security-4/how-secure-is-webmin-227816/)

macnut 09-07-2004 02:39 PM
How Secure is Webmin?
 
I've been thinking about using a control-panel type utility for administering my Linux server, and have heard some good things about Webmin. However, how secure is it? Would I be opening another hole into my system by installing and running it? If not, what are the best ways to secure it?

By way of comparison, I'm presently loggin on via SSH and using the command line to administer by box.

sether 09-07-2004 05:31 PM
http://seclists.org/lists/security-b.../Oct/0338.html

http://www.google.com/search?hl=en&l...ty&btnG=Search

the first link is sort of useful, but a google search (the second link) comes up with lots of info about webmin security vulnerabilites. you should read up on some of the results of the google search.

r0b0 09-08-2004 03:26 AM
Be sure to have the latest and secure version of the webmin software.
Use https access and make proper, custom SSL certificate for webmin (don't ever use the default one shipped with webmin distribution).
If possible, limit access to webmin by firewall.
And you should be safe.

linux_terror 09-08-2004 04:17 AM
Don't know if it helps any but in addition to the above methods I also switch the port webmin runs on. It defaults to port 10000, switch it to whatever you like.

linux_terror

win32sux 09-12-2004 01:54 AM
it would be a good idea to not have webmin running all the time... just start it via ssh when you need it...

and if you don't actually need it, it's best to not use it at all...

r0b0 09-13-2004 08:29 AM
Quote:
not have webmin running all the time... just start it via ssh when you need it...
Hehe... The way I use webmin is exactly the oppostite of your approach - the only thing I use webmin for is to start sshd that is not running for some reason :) .

treotan 09-13-2004 09:30 AM
I followed the instruction:
Install STunnel
The program is installed as standard with many Linux distributions, or can be downloaded from www.stunnel.org and compiled for your system.

Create a new tunnel
Use Webmin's SSL Tunnels module to create a new tunnel on port 10001 called ssl-webmin that uses the Connect to remote host mode to connects to localhost port 10000 (assuming you are running Webmin on port 10000).
The SSL certificate and key file option should be set to Use Webmin's cert, and all of the other options left as their defaults.

Activate the tunnel
Hit the Apply Changes button in the SSL Tunnels module to activate your new tunnel.

Configure Webmin so that it knows about the SSL tunnel
Added the line inetd_ssl=1 to /etc/webmin/miniserv.conf and run /etc/webmin/stop ; /etc/webmin/start.

Login to Webmin in SSL mode
You should now be able to connect to https://yourhostname:10001/ and login as normal. The old URL on port 10000 will no longer work properly.

My config is as following:
Service name TCP port Active? Tunnel destination
ssl-webmin 10001 Yes Connect to host localhost.localdomain:10000

and I connecting with the router, opened the port 10001 for the stunnel. but it is not sucess!!

What wrong I did?

Thks


All times are GMT -5. The time now is 10:26 PM.