Webmin Corrections (was: Re: This monday: Webmin, Gentoo)

Derek Martin invalid at pizzashack.org
Sat Jul 31 12:20:01 EDT 2004 

On Fri, Jul 30, 2004 at 04:59:12PM -0400, Fred wrote:
> On Fri, 2004-07-30 at 14:57, Derek Martin wrote:
> 
> > Sure, but the point is to run /Webmin/ on a non-standard port...  If
> > people are trying to exploit a bug in Webmin, they're going to go
> > looking for it on the default Webmin port, not on port 80/443.
> 
> Or they can just do a port scan on your box and see where Webmin sits.

As I stated in my original post:

> > > 2. Run the Apache server on an unusual port.  Security by obscurity
> > > will not stop a determined hacker, but it IS a valuable tool
> > > against (a) automated scripts and (b) casual attackers looking for
> > > an easy target.                                                              
In particular, an automated script to exploit webmin holes isn't
likely to bother with a port scan, and thus the script kiddies are
much less likely to target your box.  These days, the vast majority of
attacks on systems are automated, looking for specific holes to
exploit easily.  Generally speaking, if you change the port, they
won't find you -- they won't bother, because there will be a
cornucopia of completely unsecured systems out there for them to
devour.

Further, a port scan generally reveals that SOMETHING is listening on
a given port, but usually won't identify WHAT is listening.  So... as
I said, changing the port that webmin runs on drastically reduces the
likelihood that your box will be targeted, and thus compromised.  I
never said that made it impossible...

> Of course, you can configure webmin to respond only to certain IP
> addresses. Of course, if the origin IP is spoofed, bets are off anyway.

With modern network equipment, a spoofing attack is still possible
(depending on how it's configured), but in the typical case it's
gotten a lot harder.  An attacker who bothers with this (a) knows what
he's doing and (b) really wants in to your box, and they'll probably
find a way no matter what you do.

Managing security is about managing risks; it is (generally) NOT about
making your box unbreakable, contrary to popular belief.  That is a
target which, practically speaking, is impossible to hit.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040731/6721be7c/attachment.bin

More information about the gnhlug-discuss mailing list