Remote system administration is a potentially huge security loophole, no matter how it's conducted ”via a text-mode or GUI login or through a dedicated configuration tool like those discussed in this chapter. There are two major classes of concerns:
In both of these cases, the risks may be increased if you run a dedicated remote administrative tool in addition to a regular remote login tool, as opposed to running the remote login tool alone. As described in Chapter 13, some remote login tools send their passwords in an unencrypted form, but others (such as the Secure Shell, SSH) encrypt passwords and even subsequent data. Linuxconf and SWAT both use unencrypted passwords, so if you use only SSH locally for security reasons, Linuxconf and SWAT greatly negate SSH's advantages. Webmin may optionally use the Secure Sockets Layer (SSL; see http://www.openssl.org) for encryption, so Webmin can protect your passwords and other data; however, configuring Webmin to use SSL requires installing and setting up SSL. Because of the lack of encryption provided by these tools, I strongly recommend against using Linuxconf, SWAT, or non-SSL-encoded versions of Webmin on anything but a trusted local network.
The remote access tools also grant access if the user knows just one username and password. As described in Chapter 13, many remote login protocols can be configured to accept logins only from ordinary users, which means that an administrator must know two passwords to administer the system ”an ordinary username/password pair and the root password (used in conjunction with su or a similar tool). In sum, of the remote access tools discussed in this chapter, only Webmin provides the sort of encryption features found in tools like SSH, and even at its best, Webmin is potentially slightly more vulnerable to a password that's been obtained in some way other than Ethernet sniffing.
You can reduce some of the risks of unauthorized access by limiting the systems that can connect to the administrative server. As described earlier in this chapter, Linuxconf includes tools to let you do this by specifying authorized IP addresses or network ranges. Any of these programs can be protected by TCP Wrappers or xinetd , as described in Chapter 4, if you start the servers from a super server, as is the default for Linuxconf and SWAT. You can also configure a firewall to limit access to the remote administration port, as described in Chapter 25, Configuring iptables. These measures won't limit the risks of password sniffing, though, and IP addresses can be forged or even commandeered if the intruder has physical access to a network. Thus, such procedures can't eliminate all risks, although they're important.
As a general rule, it's best to limit the number of servers a system runs, both to minimize the risk of server bugs and to restrict the number of entry points that might be abused. If a system must run a remote login server ”particularly one that encrypts data, such as SSH ”the safest course from a security point of view is to use that login tool to administer the system if remote administration is required; administration-specific tools like those discussed in this chapter pose an additional risk. This risk may be justified on sufficiently protected networks if administrators are more comfortable with these tools, though. Also, remote administration tools can be worth while if no conventional remote login servers are being run but remote administration is desirable.
You might be tempted to use limited administrative servers, such as SWAT, in place of full-access servers, such as Linuxconf and Webmin, as a security precaution. After all, if an intruder can break into SWAT, the damage that intruder can do is limited, right? This may be the case for some remote-access servers, but many provide enough leverage that an intruder could do substantial damage. For instance, somebody who breaks into SWAT can create a file share that provides full read/write access to the entire /etc directory. The intruder could use this access to alter additional key configuration files, such as activating Telnet access, adding accounts, and so on. Nonetheless, using more limited administrative tools might at least slow down an intruder.
Finally, the security precautions described here are only a start. Part IV of this book is devoted to security matters. This section highlights some of the more important issues because remote administration servers are particularly powerful tools that can be more easily abused than most other servers, if compromised.