This was done using a webmin install on Gentoo, but should work the same on ubuntu or any other distro.
Universal Step 1, Change the default port:
Webmin listens on port 10000 by default and it is well known, this is a port that scripts and attackers actively look for. So to start, just change the port and reload webmin. I'll use 54444, use a different one in your own setup.#vim /etc/webmin/miniserv.conf
...
port=54444
listen=54444
...
#/etc/init.d/webmin restart
It would also be a good idea to at this point, if you hadn't already, add port 10000 to your portsentry rules. (http://www.insecuresystem.org/2010/01/iptables-blacklist.html)
Option, Limit Access with Iptables:
Only allow certain IP address or networks to reach the webmin port, drop all other attempts. I recommend establishing a chain similar to the example below.#iptables -N WEBMIN
#iptables -I INPUT 1 -p tcp --dport 54444 -j WEBMIN
#iptables -I INPUT 2 -p udp --dport 54444 -j WEBMIN
#iptables -A WEBMIN -s 192.168.168.0/24 -j ALLOW
#iptables -A WEBMIN -j DROP
Option, limit it to localhost and access webmin via port-forwarding:
Edit the miniserv.conf file, then restart webmin
#vim /etc/webmin/miniserv.conf
allow=127.0.0.1
Then from any other machine establish an ssh tunnel which forwards the webmin port
#ssh -L 54444:localhost:54444 user@myserver.org
And point your browser at https://localhost:54444
Option, Hide it inside a VPN:
If you establish a simple VPN then you can use either Iptables or the miniserv allow option as above to limit webmin to only allow access to the private vpn subnet.Finally:
Webmin has had exploits against in the past; if you use it, make sure you keep it up to date......
ps:
#/etc/init.d/webmin stop
#emerge --unmerge webmin
Just installed webming and googled exactly for how to limit it to localhost in torder to do ssh tunnel/forwarding. awesome! thanks! =)
ReplyDelete