Webmin Configuration

The Webmin Configuration module (Figure 3-1) allows you to configure most of the important aspects of Webmin itself, as well as install new modules, upgrade existing modules, and upgrade Webmin itself. It also provides a means to change the port and address where the Webmin miniserv.pl web server listens for connections, select different languages, enable or disable SSL encryption, and configure the Webmin built-in logging features.

click to expand
Figure 3-1: Webmin Configuration

IP Access Control

Webmin has its own web server, called miniserv.pl, which provides a simple IP access control feature. This page allows you to configure this option. You may enter IP networks (such as 192.168.1.0), IP host addresses (such as 192.168.1.79), and host names (such as joesbox.penguinfeet.org). It is wise to limit access to the Webmin server to just those addresses that are trusted. While Webmin has no known exploits in versions greater than 0.970, if someone were to obtain your password, this would provide an additional level of protection from unauthorized access. This option configures the accept and deny directives in the miniserv.conf file. The default is to allow any address to access Webmin.

Caution 

Be aware that using IP access controls within Webmin is an application-level security feature. In other words, if ever an exploitable problem were discovered in the Webmin miniserv.pl web server, it would still be accessible from an IP not permitted to use Webmin. So it is still theoretically possible to attack the web server even if the user isn't offered a login page. However, this is a pretty unlikely scenario, requiring a bug in miniserv.pl that is exposed even when an authentication page is not provided.

Port and Address

The Webmin server will, by default, listen on every active IP address on the system. But if you have multiple addresses and would prefer Webmin to only listen on one of them, you may use this option. So, for example, if you have one network interface connected directly to your local network and a second network interface connected to the Internet, you could improve security by causing Webmin to only listen on the local network. In this case, any requests from the Internet at large would be ignored, but it would still be possible to connect from local computers. This can be a very effective first line of defense. After all, if the bad guys can't even talk to the Webmin server, they certainly can't try anything funny to break into it.

The Listen on Port option specifies the network port on which Webmin will listen. In a standard Webmin install this will be port 10000, although Caldera installs it on port 1000. Some firewalls may restrict access to ports below 1024, and some may restrict even ports above 1024. If your network has strict proxy restrictions that prevent connecting on port 10000, you may wish to try port 553 or 443 (assuming these ports are not already in use on your Webmin server for normal SSL service). These ports will nearly always be usable through a proxy, even when using an SSL enabled Webmin.

Note 

In a proxied environment, your client browser must use a CONNECT method to construct a tunnel through the proxy device. Because of the potential for abusing CONNECT requests most proxies prevent this method on all but a few ports. The standard port for SSL web connections is 443, and so it is the most likely port to be available for CONNECT requests. If your proxy is running Squid and you have administrator privileges, you may wish to add Webmins default port to the allowed SSL ports as documented in the Squid chapter of this book.

As mentioned briefly in the installation chapter, it is possible to alter these configuration settings in the miniserv.conf configuration file in addition to graphical configuration with the Webmin Configuration module. This may be necessary if a firewall prevents you from accessing port 10000 and you only have console or SSH access to the machine. In this case, editing the port option will alter the port, and the bind directive configures the address on which Webmin listens. Whenever editing the miniserv.conf file, Webmin must be restarted for changes to take effect.

Logging

As mentioned earlier, Webmin provides very flexible logging features. With these features, you can very easily monitor what actions those users with administrator privileges are performing on the server. It is also possible to log actions based on the module where the actions are performed. The option Log resolved host names will cause Webmin to provide a host name rather than just an IP address for the client computer that performed an action. And Clear logfiles every...hours causes Webmin to rotate its own logs and keep them from overfilling the disk with old logs. If long-term logs are needed for security auditing purposes, it may be wise to include the Webmin log in your normal system backup rotation.

The decisions regarding what to log, whose actions to log, and how long to store those logs should be carefully considered for your situation. In some cases, a log is unnecessary, while in others it may be required by company policy or useful in addressing the security needs of your environment. If logging is enabled, care should be taken to ensure Webmin will have plenty of disk space in the Webmin log directory, as some options can lead to quite verbose logging ( Log changes made to files by each action, for example). Remember that Webmin action logging has nothing to do with the logging features of other parts of the system. Syslog is configured separately in the System:System Logs module, while application-specific logging is usually configured within the application module.

Proxy Servers

Webmin provides several tools that must connect to the Internet to operate correctly. These include the Webmin Update feature, the Software Packages module and others. If your local network uses a proxy to access Web or FTP sites on the Internet, you may configure those settings here. If your proxy requires authentication, the username Webmin will use to log-in can also be configured on this page in the Username for proxy and Password for proxy fields.

User Interface

The Webmin user interface is configurable in a number of ways. In this module you may configure the colors of your Webmin pages. The colors are expected to be in standard hex triplets, as used in HTML markup on the Internet. You may also choose to use the standard fonts of your browser to display page titles, rather than the font provided by the theme you are using. Finally, you may configure where on the page Webmin will display the login name and host name of the server. This page does not configure Webmin themes, which are configured on their own page, and the changes that can be made here are mild by comparison to the possibilities when using themes. Be aware also that these changes may not take effect when using a theme other than the old standard Webmin theme. For example, the new MSC.Linux theme overrides all of these options with its own standard values.



The Book of Webmin... or How I Learned to Stop Worrying and Love UNIX
The Book of Webmin: Or How I Learned to Stop Worrying and Love UNIX
ISBN: 1886411921
EAN: 2147483647
Year: 2006
Pages: 142
Authors: Joe Cooper

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net