| Because Webmin runs as the root user and has full control over important system-configuration files, it's important to keep it as secure as possible. There are several things we can do to make Webmin safer to run. To change Webmin's authentication settings The authentication settings control the way Webmin reacts to invalid passwords and frequent login attempts, two of the "signatures" of someone trying to crack the Webmin password. 1. | Log in to Webmin by visiting it with your favorite Web browser (Figure F.3):
http://hostname:10000/
| 2. | Enter your Webmin user ID and password, then click the Login button. Webmin transfers you to the main page (Figure F.4).
| 3. | Click the "Webmin Configuration" link to get to the Webmin Configuration page (Figure F.5).
Figure F.5. Webmin's configuration interface. 
| 4. | Scroll down if necessary, then click the "Authentication" link to show the authentication settings (Figure F.6).
Figure F.6. Webmin's authentication settings let you change the way Webmin treats failed login attempts. 
| 5. | Click the "Enable password timeouts" button; this will cause a delay between login attempts if an invalid password is entered.
| 6. | Check the "Auto-logout after x minutes of inactivity" box, and enter a number of minutes in the x text field. Use whatever you feel comfortable with; this is the length of time your Web browser could be sitting at Webmin unguarded while you're off getting a cup of coffee.
| 7. | Click the Save button at the bottom of the page to save your changes and return to the Webmin Configuration page.
|
To limit access to certain IP addresses Another way of making Webmin safer is to allow access only from specific IP addresses. You can also deny access to specific IP addresses. 1. | On the Webmin Configuration page, click IP Access Control to display the IP Access Control page (Figure F.7).
Figure F.7. The IP Access Control page lets you allow access from specific computers or deny access to specific computers. 
| 2. | To allow access for specific IP addresses, host names, or networks, click the "Only allow from listed addresses" button.
| 3. | To deny access from specific IP addresses, hostnames, or networks, click the "Deny from listed addresses" button.
| 4. | Enter the IP addresses, hostnames, or networks in the text field, one per line.
| 5. | Click the Save button to apply your changes and return to the Webmin Configuration page.
|
 Tip
To encrypt your Webmin connection with SSL By default, Webmin uses normal HTTP connections. These aren't encrypted, and if someone were eavesdropping on your network, he or she could discover your Webmin user ID and password. Switching to HTTPS connections removes this problem. 1. | Before we can add SSL support to Webmin, we need to have the OpenSSL libraries installed. If you're using Fedora Core or FreeBSD, OpenSSL is already installed.
If you're using Cygwin, use the Cygwin setup program to install openssl-devel from the Devel category. Also, if you haven't already installed a compiler, install binutils and gcc from the Devel category (these will also install all of their prerequisites).
If you're using Mac OS X, use Fink to install OpenSSL:
sudo fink install openssl097-dev
| 2. | Use your favorite Web browser to download the Net::SSLeay module for Perl:
http://search.cpan.org/~sampo/Net_SSLeay.pm-1.25/
Click the Download link and save the Net_SSLeay.pm-1.25.tar.gz file to your home directory.
| 3. | tar -xzf Net_SSLeay.pm-1.25.tar.gz
Unpack the Net::SSLeay code archive.
| 4. | cd Net_SSLeay.pm-1.25
Change to the source directory.
| 5. | ./Makefile.PL
Generate the Makefile, which controls the build process.
| 6. | make install
Build and install Net::SSLeay.
| 7. | On the Webmin Configuration page in your browser, click the SSL Encryption link to display the SSL Encryption page (Figure F.8).
Figure F.8. The SSL Encryption page lets you switch Webmin to encrypted mode. 
| 8. | Click the Yes buttons next to "Enable SSL if available?" and "Redirect non-SSL requests to SSL mode?" and then click the Save button.
| 9. | Webmin switches to SSL mode and redirects you to the Webmin Configuration page. On your way, you'll see a warning (Figure F.9) about Webmin's certificate.
Figure F.9. Your Web browser will warn you about Webmin's self-signed certificate; this is normal! 
This certificate warning is normal; unless you install a real certificate (see the Webmin site for details), it uses a self-signed certificate, and this is what your browser is warning you about.
Tell your browser to accept the certificate (temporarily, or permanently if you won't be installing a real certificate).
|
Tips You can also install Net::SSLeay through the Perl CPAN module. Please refer to the CPAN Web site (www.cpan.org) for details. Remember to use https:hostname:10000/ to access Webmin if you've switched to SSL mode! To stop Webmin, log in as root (or use su to get a root shell) and run the stop script in the Webmin installation directory (/usr/local/etc/webmin/start in our example). To start Webmin, log in as root (or use su) and run the start script in the Webmin installation directory (/usr/local/etc/webmin/stop in our example). Restart Webmin by combining the stop and start scripts in the Webmin installation directory. You need to do this if you've changed Webmin's configuration files (such as miniserv.conf) with a text editor instead of using Webmin itself.
|
