Wednesday, March 10, 2010

Securing Webmin

If you are a fledgling sysadmin, feeling lazy, or just plain want a gui and find yourself installing webmin on your server, please take a few minutes to secure it. I have a few simple examples of how this can be done. A lot of this also applies to other systems, so its good information to know even if you plan on never running webmin.

This was done using a webmin install on Gentoo, but should work the same on ubuntu or any other distro.

Universal Step 1, Change the default port:
Webmin listens on port 10000 by default and it is well known, this is a port that scripts and attackers actively look for. So to start, just change the port and reload webmin. I'll use 54444, use a different one in your own setup.

#vim /etc/webmin/miniserv.conf
...
port=54444
listen=54444
...

#/etc/init.d/webmin restart

It would also be a good idea to at this point, if you hadn't already, add port 10000 to your portsentry rules. (http://www.insecuresystem.org/2010/01/iptables-blacklist.html)


Option, Limit Access with Iptables:
Only allow certain IP address or networks to reach the webmin port, drop all other attempts. I recommend establishing a chain similar to the example below.

#iptables -N WEBMIN
#iptables -I INPUT 1 -p tcp --dport 54444 -j WEBMIN
#iptables -I INPUT 2 -p udp --dport 54444 -j WEBMIN
#iptables -A WEBMIN -s 192.168.168.0/24 -j ALLOW
#iptables -A WEBMIN -j DROP

Option, limit it to localhost and access webmin via port-forwarding:

Edit the miniserv.conf file, then restart webmin
#vim /etc/webmin/miniserv.conf
allow=127.0.0.1

Then from any other machine establish an ssh tunnel which forwards the webmin port
#ssh -L 54444:localhost:54444 user@myserver.org

And point your browser at https://localhost:54444

Option, Hide it inside a VPN:
If you establish a simple VPN then you can use either Iptables or the miniserv allow option as above to limit webmin to only allow access to the private vpn subnet.

Finally:
Webmin has had exploits against in the past; if you use it, make sure you keep it up to date.


.....

ps:
#/etc/init.d/webmin stop
#emerge --unmerge webmin

1 comment:

  1. Just installed webming and googled exactly for how to limit it to localhost in torder to do ssh tunnel/forwarding. awesome! thanks! =)

    ReplyDelete