All, Three points: 1-) I have seen remote exploits for webmin that grant shell access due to flaws in the scripts that webmin uses.
2-) Webmin requires an httpd to run. If you are using webmin to manage your mail server, then you need to run httpd on your web server, which you would not need to do otherwise. In doing that you open up another service for an attacker to pounce on. 3-) Why would a systems administrator rely on a web based administration tool? Shouldn't that administrator understand the inner workings of his or her system. Shouldn't that administrator also be security aware? Don't get me wrong, webmin does have a place but I do not see it in a network that requires any serious level of security. It would be handy for a test network, or maybe an isolated network behind a few firewalls. I would not suggest using it on any system directly exposed to the internet though. Allan Jansen wrote: > > -----Original Message----- > > From: Joe McCray [mailto:joemccray@;hardestworkingmanonline.com] > > Sent: 21. oktober 2002 21:49 > > To: [EMAIL PROTECTED] > > Subject: Webmin Security Questions > > > > > > Have any of you used Webmin > > > > http://www.webmin.com/ > > > [...] > > > Any opinions? > > Yep - it's a quite decent administration package for anyone afraid of > administering a system via a keyboard :o) > > That aside; running it over standard HTTP is - obviously - a security risk; > you want to apply SSL. > There's some info here : http://www.webmin.com/ssl.html > > So throw SSL into the equation and I'd say you're fairly secure using it. > > > Best regards, > -Allan Jensen -- -ATD- ------------------------------------------------------------- Secure Network Operations | Strategic Reconnaissance Team http://www.snosoft.com | [EMAIL PROTECTED] Cerebrum Project | [EMAIL PROTECTED] -------------------------------------------------------------
signature.asc
Description: This is a digitally signed message part