This monday: Webmin, Gentoo

Derek Martin invalid at pizzashack.org
Fri Jul 30 12:04:06 EDT 2004 

On Thu, Jul 29, 2004 at 10:48:46PM -0400, David J Berube wrote:
> The next CentraLUG meeting will be Monday, August 2nd - this 
> coming Monday. We're going to have presentations on Webmin - the 
> premier way to manage your *Nix box over the web 

Especially with this kind of build-up, I feel obliged to point out the
dangers of using Webmin to administer a server.

Webmin can indeed be a very convenient way to administer a Unix box.
However, Web-based applications have historically proven notoriously
hard to write securely, and Webmin is no exception to the rule.
Webmin itself has had a history of security vulnerabilities, as you
can see by searching the archives on Securityfocus.  The most recent
of these was published last month.

In addition to that, in order to use webmin, you must install Apache
web server. While having a fairly decent track record compared
to certain other web servers (IIS comes to mind), Apache's history
hasn't been flawless either.

These two programs also rely on other operating environment components
that also have a history of problems, such as the OpenSSL libraries.
By running Webmin, you are compounding the risks of all such programs,
potentially causing a dramatic increase in the likelihood that you
will be providing a way into your system for some happy attacker.  
I say potentially because the presence of security holes in current
versions of related software have no KNOWN problems at this time, but 
secure software is hard to write, so odds are there will be some found
sooner or later.

Is running Webmin worth the risk?  Maybe.

Personally, whereas I usually prefer the command-line interface for
configuring systems anyway, the answer for me is a resounding no.  If,
for example, you're aministering a file server, you normally don't
need a web server, and you normally don't /need/ webmin either.  These
programs potentially increase the likelihood of a remote compromise,
on a server which normally doesn't need them.  So in my mind, you
shouldn't run them.  But people are different...

If you find that webmin really does make your life a lot easier, then
you may want to run it anyway.  You /can/ take steps to reduce the
risks.

1. As always, make sure you pay attention to security vulnerability
   notices by subscribing to such mailing lists as Bugtraq, etc.  Be
   sure to apply all security updates from your vendor in a timely
   manner, and check the websites of any packages which you have
   installed from sources.

2. Run the Apache server on an unusual port.  Security by obscurity
   will not stop a determined hacker, but it IS a valuable tool
   against (a) automated scripts and (b) casual attackers looking for
   an easy target.

3. Run host-based firewall software to make sure only trusted hosts
   (i.e. the sysadmin team's workstations) can access the Webmin
   server (i.e. the port on which the Webmin Apache server is
   running).

Or, you can take your chances...  ;-)

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040730/455e47f1/attachment.bin

More information about the gnhlug-discuss mailing list