RE: Webmin Security Questions

["Paris E. Stone" <paris () archerva com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Webmin runs it's own mini-httpd server.  Point 2 below is not valid.

Hazzarding a guess, say %60 of admins are not security aware.  Also
that %50 of administrators ues point-and-click and know nothing about
the underpinnings of any OS that they administer.

ACL's on the edge router, or placing the box behind a firewall and
not letting TCP port 10000 through effectively blocks external access
to the webmin mini-httpd service.  "Security is a layered
methodology".  Webmin running on an unprotected host, yes is bad.

Webmin is a nice tool, makes linux accessible to those who would
otherwise not use it and can provide a migration path away from
Micro$oft.

Webmin is mature, stable and very useful for almost all aspects of a
linux server.

My $.02

- -----Original Message-----
From: ATD [mailto:simon () snosoft com]
Sent: Thursday, October 24, 2002 2:04 PM
To: Allan Jensen
Cc: security-basics () securityfocus com
Subject: RE: Webmin Security Questions


All, 
        Three points:

1-) I have seen remote exploits for webmin that grant shell access
due
to flaws in the scripts that webmin uses.

2-) Webmin requires an httpd to run.  If you are using webmin to
manage
your mail server, then you need to run httpd on your web server,
which
you would not need to do otherwise. In doing that you open up another
service for an attacker to pounce on.

3-) Why would a systems administrator rely on a web based
administration
tool? Shouldn't that administrator understand the inner workings of
his
or her system. Shouldn't that administrator also be security aware?  

Don't get me wrong, webmin does have a place but I do not see it in a
network that requires any serious level of security. It would be
handy
for a test network, or maybe an isolated network behind a few
firewalls.  I would not suggest using it on any system directly
exposed
to the internet though. 




Allan Jansen wrote:
> > -----Original Message-----
> > From: Joe McCray [mailto:joemccray () hardestworkingmanonline com] 
> > Sent: 21. oktober 2002 21:49
> > To: security-basics () securityfocus com
> > Subject: Webmin Security Questions
> >
> >
> > Have any of you used Webmin 
> >
> > http://www.webmin.com/
>
> > [...]
>
> > Any opinions?
>
> Yep - it's a quite decent administration package for anyone afraid
> of administering a system via a keyboard :o)
>
> That aside; running it over standard HTTP is - obviously - a
> security risk; you want to apply SSL. 
> There's some info here : http://www.webmin.com/ssl.html
>
> So throw SSL into the equation and I'd say you're fairly secure
> using it.  
>
>
> Best regards,
> -Allan Jensen
- -- 

- -ATD-

- -------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
http://www.snosoft.com    |     recon () snosoft com
Cerebrum Project          |     cerebrum () snosoft com
- -------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: http://www.parisstone.com/

iQA/AwUBPbmBqP2j5dDsq7N3EQI/YQCfYgqaFDOc2CKzRRThG141F/M/8K4An35s
hv4ey5gjHh4x0BZq5hzRDLr0
=pzT1
-----END PGP SIGNATURE-----