Wednesday, March 10, 2010

Securing Webmin

If you are a fledgling sysadmin, feeling lazy, or just plain want a gui and find yourself installing webmin on your server, please take a few minutes to secure it. I have a few simple examples of how this can be done. A lot of this also applies to other systems, so its good information to know even if you plan on never running webmin.

This was done using a webmin install on Gentoo, but should work the same on ubuntu or any other distro.

Universal Step 1, Change the default port:
Webmin listens on port 10000 by default and it is well known, this is a port that scripts and attackers actively look for. So to start, just change the port and reload webmin. I'll use 54444, use a different one in your own setup.

#vim /etc/webmin/miniserv.conf

#/etc/init.d/webmin restart

It would also be a good idea to at this point, if you hadn't already, add port 10000 to your portsentry rules. (

Option, Limit Access with Iptables:
Only allow certain IP address or networks to reach the webmin port, drop all other attempts. I recommend establishing a chain similar to the example below.

#iptables -N WEBMIN
#iptables -I INPUT 1 -p tcp --dport 54444 -j WEBMIN
#iptables -I INPUT 2 -p udp --dport 54444 -j WEBMIN
#iptables -A WEBMIN -s -j ALLOW
#iptables -A WEBMIN -j DROP

Option, limit it to localhost and access webmin via port-forwarding:

Edit the miniserv.conf file, then restart webmin
#vim /etc/webmin/miniserv.conf

Then from any other machine establish an ssh tunnel which forwards the webmin port
#ssh -L 54444:localhost:54444

And point your browser at https://localhost:54444

Option, Hide it inside a VPN:
If you establish a simple VPN then you can use either Iptables or the miniserv allow option as above to limit webmin to only allow access to the private vpn subnet.

Webmin has had exploits against in the past; if you use it, make sure you keep it up to date.


#/etc/init.d/webmin stop
#emerge --unmerge webmin

1 comment:

  1. Just installed webming and googled exactly for how to limit it to localhost in torder to do ssh tunnel/forwarding. awesome! thanks! =)