This was done using a webmin install on Gentoo, but should work the same on ubuntu or any other distro.
Universal Step 1, Change the default port:Webmin listens on port 10000 by default and it is well known, this is a port that scripts and attackers actively look for. So to start, just change the port and reload webmin. I'll use 54444, use a different one in your own setup.
It would also be a good idea to at this point, if you hadn't already, add port 10000 to your portsentry rules. (http://www.insecuresystem.org/2010/01/iptables-blacklist.html)
Option, Limit Access with Iptables:Only allow certain IP address or networks to reach the webmin port, drop all other attempts. I recommend establishing a chain similar to the example below.
#iptables -N WEBMIN
#iptables -I INPUT 1 -p tcp --dport 54444 -j WEBMIN
#iptables -I INPUT 2 -p udp --dport 54444 -j WEBMIN
#iptables -A WEBMIN -s 192.168.168.0/24 -j ALLOW
#iptables -A WEBMIN -j DROP
Option, limit it to localhost and access webmin via port-forwarding:
Edit the miniserv.conf file, then restart webmin
Then from any other machine establish an ssh tunnel which forwards the webmin port
#ssh -L 54444:localhost:54444 email@example.com
And point your browser at https://localhost:54444
Option, Hide it inside a VPN:If you establish a simple VPN then you can use either Iptables or the miniserv allow option as above to limit webmin to only allow access to the private vpn subnet.
Finally:Webmin has had exploits against in the past; if you use it, make sure you keep it up to date.
#/etc/init.d/webmin stop#emerge --unmerge webmin