Security Basics mailing list archives
RE: Webmin Security Questions
From: Allan Jensen <aje () callcentereurope com>
Date: Fri, 25 Oct 2002 09:12:14 +0200
-----Original Message----- From: ATD [mailto:simon () snosoft com] Sent: 24. oktober 2002 20:04 To: Allan Jensen Cc: security-basics () securityfocus com Subject: RE: Webmin Security Questions All, Three points: 1-) I have seen remote exploits for webmin that grant shell access due to flaws in the scripts that webmin uses.
I haven't seen them, which is why I deemed Webmin somewhat secure. I stand corrected. But (thinking aloud) how could it gain shell access when authentication is required before you get one single page? Could it have been an exploit for the built-in webserver itself?
2-) Webmin requires an httpd to run.
It comes with its own (quote: "..Webmin consists of a simple web server..."), but yes,If you are using webmin, then a httpd server will be running. There are ways to secure/obscure that; move Webmin to run on another port and only allow it to be accessed from certain IP addresses (via iptables/ipchains/ipfw/your favourite packet filter) comes to mind.
In doing that you open up another service for an attacker to pounce on.
True.
3-) Why would a systems administrator rely on a web based administration tool? Shouldn't that administrator understand the inner workings of his or her system. Shouldn't that administrator also be security aware?
As I was writing; it's a great tool for anyone who's afraid of administering system via a keyboard. That said, I know of few professional admins who have that problem.
Don't get me wrong, webmin does have a place but I do not see it in a network that requires any serious level of security. It would be handy for a test network, or maybe an isolated network behind a few firewalls. I would not suggest using it on any system directly exposed to the internet though.
Um, no! I've been deploying it onto a corporate LAN to give my Windows admin colleagues a way to administer some Linux boxes when I was out of office, but it was using SSL and was restricted to a few IP addresses. But no Webmin access was - and should be - allowed from the Internet! Best regards, -Allan Jensen
Current thread:
- Webmin Security Questions Joe McCray (Oct 22)
- Re: Webmin Security Questions Devdas Bhagat (Oct 23)
- Re: Webmin Security Questions ATD (Oct 23)
- <Possible follow-ups>
- RE: Webmin Security Questions Allan Jensen (Oct 24)
- RE: Webmin Security Questions ATD (Oct 25)
- RE: Webmin Security Questions Allan Jensen (Oct 25)
- Re: Webmin Security Questions Muhammad Faisal Rauf Danka (Oct 25)
- RE: Webmin Security Questions Paris E. Stone (Oct 28)