Firefox is certainly not the only option for using webmin; whether you can find something else that is fundamentally better may not be clear...but maybe you can just find one for which the exploits are more obscure.
See this for the requirements for using webmin with ssl and see also restricting access (and lots of other stuff) here.

A good point. I still don't like the idea, but it may be inevitable, eventually.

Print the frozentux documentation. Put it in a big binder. Apply edge marks to sections, as required. And keep it safe, but take it with you.

Vim? I only occasionally use a CLI editor, but when I do my editor of choice is Joe, but then I have fond memories of WordStar. But, whatever, it is something that he has to be comfortable with.

You need to ask yourself the simple question "If I just dropped everything, what would stop working that I need to work and how little can I open up and have just what I need to work, work?"

And, I guess, can I run stuff on non-standard ports, just to make life a little more, err, interesting for team red.

If I can figure out how to get tarpit to work in ipTables, he'd be a very happy camper!

Does this help? I'm still not convinced about the application of tarpits, but there you go. You are hoping to be a PITA to team red (not hack them back, presumably) but are you building a dos/ddos risk on your side?

Hardening scripts, like bastille, no root logins (although you should be good for that, specifically), all the usual stuff.

You don't mention whether you expect the guys on the blue team to have to do stuff (eg, use the internet with a browser) which would open up the opportunities for the red team considerably. And how will you ensure that you have up-to-date software, without risks?

What firewall ports do I need to shut down to prevent someone from outside my network using XFCE?

XFCE needs X11 installed. On my Slackware machines nmap shows tcp 22, 37, 111, and 133 listening before I start XFCE. Once XFCE is started nmap run in a terminal shows tcp 6000 is also now listening due to X11.

1 members found this post helpful.

There's a Green Team, volunteers who will play the users on our network. They'll be given their usernames and passwords, a script of what they should be able to do on our network, and a list of the IP addresses of our servers (web is 123.456.789.50, mail is 123.456.789.100, rdp is 123.456.789.150). There are no clients within our network, but we have to allow authorized users in from outside our network.

Piece of cake, right?

As for software updates, we're given remote access to our boxes a week before the contest, and then we have from 10:00 am to 6:00 pm on Friday to finish setting up our servers (including last-minute updates). The red team starts their attack at 8:00 on Saturday, and has until 4:00 to break us.

OK,how about this as a fun little read? Or this?

PERFECT!!!

I'm going to mark this thread closed. Thanks for all the advice!

Sorry to state the bleedin' obvious, but you mark it as solved and not closed, and there is a difference...

Anyway, a couple more links for you (after all, you can always ignore them)

Tarpits maybe not what you want, but it is about tarpits, and yopu expressed an interest, albeit on behalf of someone else...

And this (more general, on hardening linux, in paticular commercial ones, but a lot of good stuff...but make sure that you read down the page, which I didn't, at first).

And something that seemed to just slip out of reach earlier...if the guys inside are going to do stuff, there are more requirements to meet, and be particularly careful about what they can do, and whether they have a good idea about security stuff and behaving sensibly...and be particularly bothered about DNS as poisoning DNS would give the bad guys an easy way to trick your side into trusting bad sites. There is a lot more to security than ports and firewalls.

Good luck!