Urza9814 Posted July 18, 2006 Report Share Posted July 18, 2006 Two parts to this one: First of all, how secure is webmin? If I leave it open to internet access with a 20 character randomly generated password, will I be ok? What are the chances of someone finding another way in? I don't know much about the webmin project, so does it focus much on security? And is it well known enough to be a target? Also, how is the security of the various servers, specifically Apache and ProFTPD? I'm a bit paranoid if you haven't noticed :) Also, is there any way I could change my firewall settings (or at least turn it on and off) from the command line, so I can schedule it to allow me through only at certain times during the day? Quote Link to comment Share on other sites More sharing options...
tyme Posted July 18, 2006 Report Share Posted July 18, 2006 Two parts to this one:First of all, how secure is webmin? If I leave it open to internet access with a 20 character randomly generated password, will I be ok? What are the chances of someone finding another way in? I don't know much about the webmin project, so does it focus much on security? And is it well known enough to be a target? Also, how is the security of the various servers, specifically Apache and ProFTPD? I'm a bit paranoid if you haven't noticed :) Webmin with a good password is OK, but you can do better.. See my below suggestions about firewalling. Apache is generally secure, as long as you keep it updated. It's still a program, written by humans, so it still has flaws ;) As far as FTP, I suggest against it. FTP sends login credentials in clear text, so someone could just grab the packet and read it. You're better off setting up an ssh server and using sftp through that. For better security you could even run your ssh on a non-standard, non-reservedd port to avoid people trying to brute-force it. Also, is there any way I could change my firewall settings (or at least turn it on and off) from the command line, so I can schedule it to allow me through only at certain times during the day? You could probably use some combination of a cron job and iptables to change settings when you want access, but you'd be better allowing only the IP addresses you want to have access to get to the webmin interface (or any others). You can do this by port #'s in iptables. I think webmin has a way of allowing only certain IP's access within it's own interface, without a need to fuss with iptables. Quote Link to comment Share on other sites More sharing options...
aioshin Posted July 19, 2006 Report Share Posted July 19, 2006 another suggestion: you can also avail some free dns service like no-ip or dyndns and only allow the free domain name you've choosed to connect to your remote server, especially when you are connecting from a dsl with a dynamic IP address. That is if you trust thus free dns provider. Because its hard to specify the IP allowed on webmin accessList if, as been said, have a dynamic ip add. Quote Link to comment Share on other sites More sharing options...
tyme Posted July 19, 2006 Report Share Posted July 19, 2006 You could also just set it to a range of IP addresses to cut back on the possibilities. When I was still a student at Penn State I would allow the IP range that penn state has to ssh into my system but no one else. This was because I knew if anyone tried to hack in from one of those addresses (assuming it wasn't spoofed) I could easily track them down with one call to IT :D Quote Link to comment Share on other sites More sharing options...
paul Posted July 19, 2006 Report Share Posted July 19, 2006 ah yes ... source based packet sniffing is the way to go really -A INPUT -i <IN Interface like eth0> -s <source IP> -p tcp -m tcp --dport 10000 -j ACCEPT Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.