How do I make webmin secure?

Question

I want to install webmin to make server administration tasks on my Ubuntu 10.4 server easier. However I'm very nervious about having that kind of power accessable over the web.

So I want to know how to secure webmin so that it can't be used to comprimise my server.

So far here are my ideas, but I still don't feel comfortable:

Make webmin accessable from only the localhost (how?)
Use SSH tunneling to access the webmin server whenever I need to administrate it

Can anyone help me with instructions on making webmin accessable only from the localhost?

What other ways can I make webmin secure?

This question appears to be off-topic because it is about [`working with a service provider's management interface, such as cPanel`](http://serverfault.com/help/on-topic). — HopelessN00b, Jan 14 '15 at 01:39
@HopelessN00b Your impression is wrong - Webmin is a freely available and open-source admin interface anyone can install on their own web server as long as they can run perl based services, hence it is NOT off-topic. Haven't you even checked this before declaring this off-topic? — ThomasAtFault, Jun 13 '16 at 16:13
A new way to secure Webmin access is to use two-factor auth, or install a client-side SSL cert. Both techniques are documented here: http://doxfer.webmin.com/Webmin/Enhanced_Authentication — ThomasAtFault, Jun 13 '16 at 16:20

score 8 · Accepted Answer · answered May 07 '10 at 01:29

8

Securing it really depends on how it's being served. But by default it comes with it's own web server. /etc/webmin/miniserv.conf has allow and deny directives. So you can use this to only allow access from the localhost.

Then as you say just ssh in using port tunneling to access it. At that point in theory it would be as secure as your ssh setup is. If someone gains ssh access to your server then you already have issues.

answered May 07 '10 at 01:29

3dinfluence

12,449
2
28
41

You mentioned that "Securing it really depends on how it's being served", is there a more secure way of serving it rather than the inbuilt web server? I was thinking of using the inbuilt server so that it was not reliant on the configurations that it will be administrating. – Josiah May 07 '10 at 03:37
I think you're on the right track in securing it now. The only advantage that apache would have over the built in server would probably be more options for authentication and perhaps some ram savings if the server needs to have apache running any ways. But there's a trade off for that. As it also means that if you mess up your apache config you would find yourself unable to access webmin as well. – 3dinfluence May 07 '10 at 13:10
1

To further harden SSH you can use permitopen directives to restrict what ip addresses can forward ports and what ips/ports they can forward to. I believe you can even restrict this per user. – 3dinfluence May 07 '10 at 13:18
And [here](http://realprogrammers.com/how_to/set_up_an_ssh_tunnel_with_putty.html) I found a helpful link on how to setup ssh tunnel with putty. just ignore the part about MySQL (but no change is required) and point yer browser to localhost:10000 – Mojtaba Rezaeian Jun 05 '17 at 23:11

score 5 · Answer 2 · answered May 07 '10 at 01:47

5

How I secured mine:

Create a Webmin only user with a unique password. Delete all other webmin users
Change the default port
Limit access via IP addresses at both the firewall and the webmin panel

answered May 07 '10 at 01:47

David Rickman

3,320
18
16

1

Won't points #2 and #3 be rectified by only allowing localhost access? Is there an additional security benefit to changing the default port (besides obfuscation)? When you say limiting access in the firewall, wont that restrict general access to the server also (visitors to my website)? – Josiah May 07 '10 at 03:35
1

#3: Firewalls can do port to IP only rules. Say Webmin is running on port 9665, you can make it so only IP 1.2.3.4 can access your server via port 9665. If 2.2.3.4 tried, they would be denied. – David Rickman May 07 '10 at 04:38
1

#2: It's obfuscation, sure. But the bots that would scan it or any "hacker" that scans for it won't find it immediately, they will need a much more broad scan to locate it. Which requires more resources for the bots and more time for the "hacker" – David Rickman May 07 '10 at 04:40
The question is: will I have any better protection using a Firewall port to ip rule than I would if I only allowed access locally and used an SSH tunnel? – Josiah May 07 '10 at 05:13
webmin uses SSL by default, so its encryption either way. If you add all the possible IP address that you can think of to connect from, you might be able to connect more openly should something happen. Where as with SSH tunneling you'll be limited with running the SSH tunnel then the browser, when you may only be able to run the browser. This is just what I did to secure webmin on my server. If it works for you, good. If not, pick at what you want from different sources. That's what I did. – David Rickman May 07 '10 at 08:24
1

SSH will allow for key based authentication only. Which will always be more secure than using username and passwords. However if you restrict the IP addresses that are allowed to access webmin then this may not make much difference. – 3dinfluence May 07 '10 at 13:16

score 1 · Answer 3 · answered May 07 '10 at 01:24

1

Probably the easiest way to achieve this is to use mod_access to control access to the directory tree that Webmin lives in. Here is a quickstart page on the subject. Here is a second option.

answered May 07 '10 at 01:24

Brighid McDonnell

389
1
8
20

How do I make webmin secure?

3 Answers3