Enabling SSL

Previous page
Table of content
Next page

Webmin is a web-based application, thus it operates using the standard protocols of the Internet and specifically the HTTP or HTTPS protocol. In a default installation from tarball or package, Webmin operates via the standard unencrypted HTTP protocol. In some environments this presents no major security threat, but in most situations this is a quite large hole in the security of a Webmin installation. If you only access Webmin across a local network of only trusted clients, and have a firewall closing your local network to outsiders, then you may feel safe in using Webmin over an unencrypted link. Otherwise, if you ever access your Webmin across the Internet or an intranet that may have untrusted clients (for example, a laptop owned by an outside consultant, temporary employees, etc.) encryption should be considered mandatory.

Luckily, setting up Webmin for use with SSL connections is pretty simple, and requires only installation of two other packages: OpenSSL and the Perl Net::SSLeay module. Here we’ll briefly discuss installing these tools from source, though it is even easier if your OS vendor provides binary packages. Documenting the actual installation process will be left for the included documentation of these packages.

Install OpenSSL

OpenSSL is an Open Source implementation of the Secure Sockets Layer (SSL) protocol, as well as the Transport Layer Security (TLS) protocol. It provides strong encryption library routines that are easy to integrate into other software, and is thus used quite frequently in Open Source projects requiring encryption. Because of this, if you are using any modern Open Source operating system, like Linux or FreeBSD, you probably already have OpenSSL installed on your system or can get a package for your OS that is simpler to install.

OpenSSL is free software and can be downloaded from the [http://www.openssl.org ] home page or one of its many mirrors. Download it to the server running Webmin. If you don’t have a graphical browser installed or are accessing your server remotely you can use lynx or wget to fetch it from the website. If no text mode HTTP client is available, you can get the file from the [ftp://ftp.openssl.org ] FTP site instead. I’ve never seen any Internet-capable operating system that does not have at least one text-mode FTP client available. Even Windows includes a simple FTP client for use in the MS-DOS shell! To install simply follow the instructions found in the INSTALL document included in the source distribution.

Getting the Net::SSLeay Perl Module

Because Webmin is written in Perl, it needs a Perl interface to the OpenSSL libraries. The standard choice for this is the Net::SSLeay module, which can be downloaded for free from CPAN or one of its mirrors. You may also be able to download a packaged binary version from your OS vendor.

Webmin itself offers a module for managing and installing Perl modules on your system. Using this module, documented later in this book, you may be able to install the Net::SSLeay module using this module. On my test systems (mostly Red Hat Linux of varying versions) I could only successfully install using the Webmin module if I left out the make test option, selecting only make and install. No additional arguments were required, however.

If a package is not provided by your vendor and installation via Webmin fails for some reason (and there are several reasons why it might), simply visit the Comprehensive Perl Archive Network (CPAN) and search for “SSLeay” to get the latest version. After downloading the tarball, unzip and untar it: 

[joe@grover /joe]$ tar zxvf Net_SSLeay.pm-1.15.tar.gz

Or, if your OS doesn’t use GNU tar you may have to unzip and untar in two steps: 

[joe@grover /joe]$ gunzip Net_SSLeay.pm-1.15.tar.gz  [joe@grover /joe]$ tar xvf Net_SSLeay.pm-1.15.tar

Change the directory to the newly created Net_SSLeay directory. Run the

Makefile.PL using Perl, like so: 

[joe@grover Net_SSLeay.pm-1.15]# perl Makefile.PL

Assuming no problems arise, this will generate a standard makefile suitable for your system. If OpenSSL was installed from an RPM, you may need to explicitly specify the /usr directory on the command line, though it appears to be unnecessary in new versions of the module. But if it complains about being unable to find an OpenSSL installation you can try the following: 

[joe@grover Net_SSLeay.pm-1.15]# perl Makefile.PL /usr

Next, use make to build, test, and install the module into the correct location. The command sequence is as follows (don’t forget to switch user to root before the install phase): 

[joe@grover Net_SSLeay.pm-1.15]# make  [joe@grover Net_SSLeay.pm-1.15]# make test  [joe@grover Net_SSLeay.pm-1.15]# su  Password:  [root@grover Net_SSLeay.pm-1.15]# make install

Finally, test to be sure the module is installed, using the following command line: 

[root@grover Net_SSLeay.pm-1.15]# perl -e ‘use Net::SSLeay; print  "Success!\n"‘ Success!

If the result is only the word Success!, then the module has been successfully installed. Otherwise, if you see an error regarding Perl’s inability to find the module, it is not installed correctly.

Turning it on

Now that the correct additional tools are installed, all that is left is to turn on SSL connections in the Webmin configuration. This can be done from within Webmin itself, or if you’re particularly paranoid and don’t even want to log in once over an unencrypted connection you can edit the configuration file manually.

To enable SSL connections using Webmin, browse to the Webmin:Webmin Configuration:SSL Encryption page, and click the radio button labeled Enable SSL support, if available. Click Save, and you will automatically be redirected to the https port and connected via an SSL link.

To enable from the command line, for example from an SSH login or a direct console login, edit the miniserv.conf file, usually located in /etc/webmin or possibly /usr/local/webmin-0.980/etc, where 0.980 is replaced by the version of Webmin you have installed. The option to modify is ssl=, which defaults to 0 (off). Changing it to a 1 and restarting the Webmin server will enable SSL connections. You can then log in on the HTTPS port as documented earlier.

Firewall Configuration

As in the earlier discussion of IP Access Controls, the goal when constructing a set of firewall rules is to prevent access to sensitive ports by unknown persons. If, for example, you can restrict the external network addresses that can talk to your server on port 10000 (or 1000, depending on the port you choose to run Webmin on) you can very easily make it impossible to exploit your Webmin installation via most types of attack. This is perhaps a bold claim, but it is easily provable assuming one can trust the firewall to do its job.

Unfortunately, the Internet is a world of trade-offs and constantly changing conditions. Sometimes, you simply cannot lock down your machine using a firewall without locking out all of the people who need to use it. If you remotely manage your server via a dial-up connection, the firewall clearly cannot be restricted to allowing only one IP. So compromises are required. As in the IP Access Controls, an ideal world would allow you to restrict access to only one or two external IP addresses (and some or all of the IP addresses within your own local network), but most likely you’ll have to allow large blocks of IP addresses to account for dynamically assigned addresses on dial-up, DSL, and cable Internet connections. As before, if you have a helpful ISP, you’ll be able to obtain a list of the network blocks that may be assigned to you.

Firewall configuration is outside the scope of this book, but adding protectionfor Webmin to an existing firewall is usually trivial. If your network does not yet have a firewall of some sort, it is well worth your time to research the options and implement a reasonable firewall. If you are using a free UNIX-like system like FreeBSD, Linux, OpenBSD, NetBSD, and so on you already have access to a very flexible firewall system. All that will be needed is a few hours or days to study the implementation of such firewalls and a few minutes to construct an appropriate ruleset (just don’t forget to protect the Webmin port!). Users of other UNIX OS variants may need to purchase a firewall package from your vendor, or a free firewall system may be available for download.


Previous page
Table of content
Next page
The Book of Webmin... or How I Learned to Stop Worrying and Love UNIX
The Book of Webmin: Or How I Learned to Stop Worrying and Love UNIX
ISBN: 1886411921
EAN: 2147483647
Year: 2006
Pages: 142
Authors: Joe Cooper
BUY ON AMAZON
Java I/O
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
C++ How to Program (5th Edition)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy