On many occasions, I have been brought in to administer a Linux server only to find out one server was hosting a myriad of services. I check the system only to discover I have little time to edit configuration files, run a number of service configuration tools, and restart said services. Each time this occurs, I am befuddled as to why people who install systems — especially multi-service systems — don't think to include a tool to configure each service.
Fortunately, a few years ago, a team got together and created the Webmin tool to help administrators easily administer Linux servers. I've used this tool on a number of occasions and am always floored by its simplicity and scope. I figured it was time I enlightened those of you not familiar with this wonder tool.
Of course, what good is a tool such as Webmin if it can't be secured? (Not much.) This article will take a look at some of Webmin's security features, so you can feel safe using Webmin on your mission-critical servers.
There are a number of ways to go about the installation of Webmin, but the easiest and most consistent method of installing Webmin is from source. To get the source tarball, go to http://prdownloads.sourceforge.net/webadmin/webmin-1.310.tar.gz for the latest release. Once you have that file downloaded, you are going to untar the archive with the command tar xvzf webmin-1.310.tar.gz.
Now, cd into the newly created webmin-1.310 directory. Inside of this directory is the setup script you are going to run to install Webmin. From within this directory, run the command ./setup.sh /var/www/html/webmin (where /var/www/html/webmin is the directory you wish to install Webmin into.) NOTE: The /var/www/html/webmin directory does not have to exist, because the Webmin setup script will create it for you.
While the installation script is running it is going to ask you the following:
- Webmin configuration directory
- The location at which Webmin will store logs
- Path to Perl
- Your server OS (Webmin does a good job of auto-detecting and will ask)
- The port that Webmin will run on (defaults to 10,000)
- The user name and password to log in to Webmin
- Your server's hostname (Webmin tries to detect this)
- SSL usage — should only prompt if Perl's SSL libraries are installed (this author has not run Webmin under SSL)
- Whether you want Webmin to start with system boot (highly recommended)
An interesting gotcha: During installation on Fedora Core 6, the only question I was asked was for the installation directory. I was not prompted for a password, server hostname, server OS, port number, path to Perl, or SSL usage. Initially, it caused many an eyebrow lift when I logged into the site without an admin password.
Taking a stab in the dark, I used the root user/password for my system; it worked. I attribute this to Webmin being previously installed (but not run) via RPM. After the installation script completed, it informed me:
Webmin has been installed and started successfully. Use your
web browser to go to
and login with
the name and password you entered previously.
Because Webmin uses SSL for encryption only, the certificate
it uses is not
signed by one of the recognized CAs such as
Verisign. When you
first connect to the Webmin server, your
browser will ask you
if you want to accept the certificate
presented, as it does
not recognize the CA. Say yes.
The directory from the previous version of Webmin
Can now be safely deleted to free up disk space, assuming
third-party modules have been copied to the new
The last section of the presented information was a good hint as to why I was not given the chance to set up an admin.
Now that Webmin is installed, it's time to take a peak around and see what it has to offer.
As stated above, you may have to log in with your root user/password. Once logged in, you will be greeted with the Webmin main page seen in Figure A. From there the first place to visit is the Webmin Configuration screen seen in Figure B.
|Webmin's main administration page.|
|Here you can configure Webmin options.|
From within the Webmin configuration screen, there are a number of items you will want to set up. Obviously, security for such a tool is high on the list. Click on the IP Access Control link to set up a list of allowed or denied hosts. What this prevents is password guessing. You may have set up a rigid password that's a mixture of alpha and numeric characters (as well as upper and lower case), but eventually someone's going to crack it. To add one more layer of security, set up this list so that you allow only specific IP addresses to access the tool. Make sure you include any known safe IP address that will be needing access to the Webmin interface. All other hosts are denied.
Along this same line of security, click on the Trusted Referrers link. From here, you can configure Webmin's referrer-checking support, which ensures that malicious links from other sites cannot trick your browser into doing dangerous things with Webmin. In this section, there is a text area where you can enter trusted sites, a radio selection, and a check box. The radio selection allows you to choose to enable referrer checking, and the check box allows you to select to trust links from unknown referrers.
From everything I've read and experienced, the default configuration for Webmin is pretty secure. But for those working with mission-critical servers, it might befit you to uncheck the Trust Links From Unknown Referrers box, and configure some trusted Web sites.
The next step in securing Webmin is enabling the system to use SSL tunnels; this will allow remote login without passing unencrypted passwords across the ether. But there are steps that must be taken before this feature can be used. First, OpenSSL must be installed; on many newer distributions, this is already taken care of. If not, then download the most recent OpenSSL from rpmfind and run the command (as root) rpm -ivhopenssl-XXX.rpm (where XXX is the release number.)
With OpenSSL installed, you must install the Net::SSLeay Perl module. Download this module from the Net::SSLeay site, untar the archive with the command tar xvzfNet_SSLeay.pm-XXX.tar.gz (where XXX is the release number), change into the newly created Net::SSLeay directory, run the command perl Makefile.PL, and run the command make install.
To test the installation, run the command:perl -e 'use Net::SSLeay'. If no errors are reported, you are good to go.
Click the SSL Encryption link from within the Webmin Configuration page, and you should see the following text, indicating SSL is working properly:
The host on which Webmin is running appears to have the SSLeay Perl module installed.
The first thing you want to verify is whether Enable SSL If Available? is checked. If it is, then you should now be able to log in to your Webmin site with the URL https://localhost.localdomain:10000/.
Your Webmin login is now encrypted.
Creating Webmin users is a very important task and one that should not be taken lightly. It's necessary to grant users access to various aspects of your Webmin server (especially if your company's server farm can not be administered by one person alone.)
However, as in any good UNIX environment, users should be created and maintained wisely. To make this an easier task, I suggest creating groups to suit your needs. Say, for example, you have an IT team that needs access to the Webmin interface. From the Webmin main menu, click on Webmin Users. Inside this page, Webmin Groups can be administered. Click on Create New Webmin Group to create a new group.
From the list of options, select which modules the IT group needs to have access to, and click Save. Now, go to the Create Webmin User section, and create a new user. During this configuration, select the IT group from the Member Of Group list. There are some nice configuration options here, such as allowing users access to the site only on given days and/or times. Once you Save, the user will be created, and the user will inherit all of the options from the IT group.
Finally, let's set up the Shorewall Firewall through Webmin. On many default installations, Shorewall will not be installed. Download the Shorewall rpm, and run the command (as root): rpm -ivhshorewall-XXX.rpm (where XXX is the release number) to install Shorewall.
With the firewall application installed, click the Networking icon from the main Webmin page, and then the Shorewall icon. Within the Shorewall section, you will see numerous configuration options. From here, one of the handiest tools is the Firewall Rules section, which allows you to create new firewall rules without having to manually create iptable-like rules. Instead, you are offered a medley of drop-down lists, text boxes, and check boxes to make creating firewall rules as simple as a point and click.
Within this same module, you can do the following:
- Create Zones
- Define managed network interfaces
- Create default policies
- Prioritize IP traffic
- Define masquerading policies
- Setup static NAT
- Setup Proxy ARP
- Define what happens when Shorewall is stopped
- Create VPN tunnels
- Create Zone Hosts
- Create a blacklist
- Define additional routing tables
One final security-minded module is within the Others section (from the main menu.) This module is the Protected Directories module. If you click on Add Protection For A New Directory, you will find yourself able to set up protection for a directory housed on your server. This module sets up .htaccess on said directory without having to muck with the command line interface.
If you've ever used .htaccess, you know how much of a hassle it can be. Now, take notice of the Choose Automatically options within the module — this tells Webmin to create all the necessary files and entries to enable .htaccess on the chosen directory.
Webmin is a powerful tool. Many people overlook this brilliant piece of work because of its cost (or lack thereof). Don't let the price fool you; Webmin is far more useful and more powerful than most applications costing ten times as much. Additionally, Webmin can be easily secured, making it an even more attractive application for enterprise computing. Install it; you won't regret it.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.