-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Webmin runs it's own mini-httpd server. Point 2 below is not valid.
Hazzarding a guess, say %60 of admins are not security aware. Also that %50 of administrators ues point-and-click and know nothing about the underpinnings of any OS that they administer. ACL's on the edge router, or placing the box behind a firewall and not letting TCP port 10000 through effectively blocks external access to the webmin mini-httpd service. "Security is a layered methodology". Webmin running on an unprotected host, yes is bad. Webmin is a nice tool, makes linux accessible to those who would otherwise not use it and can provide a migration path away from Micro$oft. Webmin is mature, stable and very useful for almost all aspects of a linux server. My $.02 - -----Original Message----- From: ATD [mailto:simon@;snosoft.com] Sent: Thursday, October 24, 2002 2:04 PM To: Allan Jensen Cc: [EMAIL PROTECTED] Subject: RE: Webmin Security Questions All, Three points: 1-) I have seen remote exploits for webmin that grant shell access due to flaws in the scripts that webmin uses. 2-) Webmin requires an httpd to run. If you are using webmin to manage your mail server, then you need to run httpd on your web server, which you would not need to do otherwise. In doing that you open up another service for an attacker to pounce on. 3-) Why would a systems administrator rely on a web based administration tool? Shouldn't that administrator understand the inner workings of his or her system. Shouldn't that administrator also be security aware? Don't get me wrong, webmin does have a place but I do not see it in a network that requires any serious level of security. It would be handy for a test network, or maybe an isolated network behind a few firewalls. I would not suggest using it on any system directly exposed to the internet though. Allan Jansen wrote: > > -----Original Message----- > > From: Joe McCray [mailto:joemccray@;hardestworkingmanonline.com] > > Sent: 21. oktober 2002 21:49 > > To: [EMAIL PROTECTED] > > Subject: Webmin Security Questions > > > > > > Have any of you used Webmin > > > > http://www.webmin.com/ > > > [...] > > > Any opinions? > > Yep - it's a quite decent administration package for anyone afraid > of administering a system via a keyboard :o) > > That aside; running it over standard HTTP is - obviously - a > security risk; you want to apply SSL. > There's some info here : http://www.webmin.com/ssl.html > > So throw SSL into the equation and I'd say you're fairly secure > using it. > > > Best regards, > -Allan Jensen - -- - -ATD- - ------------------------------------------------------------- Secure Network Operations | Strategic Reconnaissance Team http://www.snosoft.com | [EMAIL PROTECTED] Cerebrum Project | [EMAIL PROTECTED] - ------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: http://www.parisstone.com/ iQA/AwUBPbmBqP2j5dDsq7N3EQI/YQCfYgqaFDOc2CKzRRThG141F/M/8K4An35s hv4ey5gjHh4x0BZq5hzRDLr0 =pzT1 -----END PGP SIGNATURE-----