Security of webmin

[Urza9814]

Two parts to this one:

First of all, how secure is webmin? If I leave it open to internet access with a 20 character randomly generated password, will I be ok? What are the chances of someone finding another way in? I don't know much about the webmin project, so does it focus much on security? And is it well known enough to be a target? Also, how is the security of the various servers, specifically Apache and ProFTPD? I'm a bit paranoid if you haven't noticed :)

 

Also, is there any way I could change my firewall settings (or at least turn it on and off) from the command line, so I can schedule it to allow me through only at certain times during the day?

[tyme]

Two parts to this one:

First of all, how secure is webmin? If I leave it open to internet access with a 20 character randomly generated password, will I be ok? What are the chances of someone finding another way in? I don't know much about the webmin project, so does it focus much on security? And is it well known enough to be a target? Also, how is the security of the various servers, specifically Apache and ProFTPD? I'm a bit paranoid if you haven't noticed :)

Webmin with a good password is OK, but you can do better.. See my below suggestions about firewalling. Apache is generally secure, as long as you keep it updated. It's still a program, written by humans, so it still has flaws ;) As far as FTP, I suggest against it. FTP sends login credentials in clear text, so someone could just grab the packet and read it. You're better off setting up an ssh server and using sftp through that. For better security you could even run your ssh on a non-standard, non-reservedd port to avoid people trying to brute-force it.

 

Also, is there any way I could change my firewall settings (or at least turn it on and off) from the command line, so I can schedule it to allow me through only at certain times during the day?

You could probably use some combination of a cron job and iptables to change settings when you want access, but you'd be better allowing only the IP addresses you want to have access to get to the webmin interface (or any others). You can do this by port #'s in iptables. I think webmin has a way of allowing only certain IP's access within it's own interface, without a need to fuss with iptables.

[aioshin]

another suggestion:

 

you can also avail some free dns service like no-ip or dyndns and only allow the free domain name you've choosed to connect to your remote server, especially when you are connecting from a dsl with a dynamic IP address. That is if you trust thus free dns provider. Because its hard to specify the IP allowed on webmin accessList if, as been said, have a dynamic ip add.

[tyme]

You could also just set it to a range of IP addresses to cut back on the possibilities. When I was still a student at Penn State I would allow the IP range that penn state has to ssh into my system but no one else. This was because I knew if anyone tried to hack in from one of those addresses (assuming it wasn't spoofed) I could easily track them down with one call to IT :D

[paul]

ah yes ... source based packet sniffing is the way to go really

-A INPUT -i <IN Interface like eth0> -s <source IP> -p tcp -m tcp --dport 10000 -j ACCEPT