On Wed, May 2, 2012 09:15, Karanbir Singh wrote:
On 05/02/2012 02:09 PM, Nux! wrote:
it manually? That is doable, of course, but kind of cumbersome. Does anybody know if there is a tool we are expected to use for that purpose?
If you're afraid of "vi", I can recommend webmin. http://dl.nux.ro/rpm/webmin.repo
and then you have 2 problems, one of which is a security hole.
I've mostly just gone to using nsupdate from the cli for all zone edits in bind zones. if you ever need the clear zone file, its easily dumped out with rndc - works, and you can do some fairly complex things in a clear and simple transaction manner ( plus, easily automated from other scripts / code for more win )
For those of us not blessed with either the depth of experience or the time required to master every single idiosyncratic cli for each one of the the very many system daemons we are required to administer Webmin is an excellent alternative to daily trips into the arcane. Any security issue respecting access to Webmin is handled simply and efficiently in three steps:
1. Set IPTables, or whatever firewall you employ, to block all access to webmin's listening port (default 10000) from addresses outside your local lan or from any but a specific host address. Do this first and reload the firewall rules.
2. Install and immediately configure Webmin to use https only. This can be done from the command line using any convenient editor by editing the following three lines in /etc/webmin/miniserv.conf:
keyfile=/etc/webmin/miniserv.pem ssl=1 ssl_redirect=1
3. Create a secure tunnel to an address inside your firewall that is permitted access to webmin using whatever means you find convenient. I use SOCKS via "ssh -D 2001 user@host" with RSA certs and Firefox configured to use the SOCKS proxy on my local host. VPN or other techniques will work as well, if not better. But SOCKS over ssh works well enough for my purposes.
This will get you up and going without ever having to pass credentials to webmin over the wire enclair.
Webmin has the virtue of being remarkably easy to setup and simplifies most abuse configuration issues on a wide variety of services. For one, it usually handles which files require which configuration options. It does not, and cannot, cover every eventuality. But, for basic setup and ongoing control of the main system services running on most mainline Linux distros Webmin works most admirably in my experience. It certainly saves me a great deal of time and frustration.
I would not give access to Webmin to anyone that did not already have root access to that server. But, if they already have root then I see no reason to make their work any harder than it needsbe.
One caution. Webmin is a powerful tool. If you do not know what you are doing then you can hurt yourself very badly with it. On the other hand I have made serious configuration errors with an editor some of which were just spelling mistakes; a problem that Webmin mostly avoids.
Hi,
On 05/02/2012 05:58 PM, James B. Byrne wrote:
and then you have 2 problems, one of which is a security hole. I've mostly just gone to using nsupdate from the cli for all zone
For those of us not blessed with either the depth of experience or the
sure, if you are new to Linux on the whole and need a point and click basics interface to a bunch of things webmin might be a suiteable option - but no matter how you swing it, Linux admin done right, is going to need you to graduate from that point-click-livewiththelimitations mentality and make an effort to learn a few things. The earlier one gets into that, the better overall experience you are likely to have.
security issue respecting access to Webmin is handled simply and efficiently in three steps:
( you then listed 3 ways to limit access, and you are wrong by a wide margin )
the most important vuln in webmin is how its designed, perl interfaces running as root with exclusive rights to anything on the machine, easily fiddled with on the machine itself. Perhaps 90% of all hacked centos machines running webmin, that I've looked at, were exploited locally.
Also, your email client looks to be broken, its not setting headers needed for mailing lists threading
- KB
On 5/2/2012 4:17 PM, Karanbir Singh wrote:
Hi,
On 05/02/2012 05:58 PM, James B. Byrne wrote:
and then you have 2 problems, one of which is a security hole. I've mostly just gone to using nsupdate from the cli for all zone
For those of us not blessed with either the depth of experience or the
sure, if you are new to Linux on the whole and need a point and click basics interface to a bunch of things webmin might be a suiteable option
- but no matter how you swing it, Linux admin done right, is going to
need you to graduate from that point-click-livewiththelimitations mentality and make an effort to learn a few things. The earlier one gets into that, the better overall experience you are likely to have.
security issue respecting access to Webmin is handled simply and efficiently in three steps:
( you then listed 3 ways to limit access, and you are wrong by a wide margin )
the most important vuln in webmin is how its designed, perl interfaces running as root with exclusive rights to anything on the machine, easily fiddled with on the machine itself. Perhaps 90% of all hacked centos machines running webmin, that I've looked at, were exploited locally.
Also, your email client looks to be broken, its not setting headers needed for mailing lists threading
- KB
Oh snap!!!!
Karanbir Singh wrote: <snip>
Also, your email client looks to be broken, its not setting headers needed for mailing lists threading
Ah! Since I haven't had any problems recently, I'll mention that my hosting provider added Ensignia, which is apparently on top of squirrel mail, and I assume takes care of things like the headers that squirrel misses.
mark
-
Bob Hoffman -
James B. Byrne -
Karanbir Singh -
m.roth@5-cent.us