> -----Original Message----- > From: ATD [mailto:simon@;snosoft.com] > Sent: 24. oktober 2002 20:04 > To: Allan Jensen > Cc: [EMAIL PROTECTED] > Subject: RE: Webmin Security Questions > > > All, > Three points: > > 1-) I have seen remote exploits for webmin that grant shell > access due to flaws in the scripts that webmin uses.
I haven't seen them, which is why I deemed Webmin somewhat secure. I stand corrected. But (thinking aloud) how could it gain shell access when authentication is required before you get one single page? Could it have been an exploit for the built-in webserver itself? > 2-) Webmin requires an httpd to run. It comes with its own (quote: "..Webmin consists of a simple web server..."), but yes,If you are using webmin, then a httpd server will be running. There are ways to secure/obscure that; move Webmin to run on another port and only allow it to be accessed from certain IP addresses (via iptables/ipchains/ipfw/your favourite packet filter) comes to mind. > In doing that you open up another service for an attacker to pounce on. True. > 3-) Why would a systems administrator rely on a web based > administration tool? Shouldn't that administrator understand > the inner workings of his or her system. Shouldn't that > administrator also be security aware? As I was writing; it's a great tool for anyone who's afraid of administering system via a keyboard. That said, I know of few professional admins who have that problem. > Don't get me wrong, webmin does have a place but I do not see it in a > network that requires any serious level of security. It would > be handy for a test network, or maybe an isolated network > behind a few firewalls. I would not suggest using it on any > system directly exposed to the internet though. Um, no! I've been deploying it onto a corporate LAN to give my Windows admin colleagues a way to administer some Linux boxes when I was out of office, but it was using SSL and was restricted to a few IP addresses. But no Webmin access was - and should be - allowed from the Internet! Best regards, -Allan Jensen