On Feb 23, 2011, at 2:04 PM, "Trutwin, Joshua" <JTRUTWIN at CSBSJU.EDU> wrote: >> +1 for Virtualmin. >> People will brag that it's insecure etc, but it has always done the job for me >> and I have more than 100 installations of it. I never had security problems >> because of it. > > Thanks for all the posts. > > Curious about the "people will brag that it's insecure" - is there a poor track record of security problems with webmin? > > I noticed these: > > http://www.webmin.com/security.html > http://tensixtyone.com/perma/woes-of-webmin > http://doxfer.webmin.com/Webmin/SecuringWebmin > > I certainly don't plan to allow access to webmin save for a couple selected IP's and I'm not surprised to see any web application have security vulnerabilities. But if it's on par with something like phpbb as far as security problems go, I'll probably look elsewhere. One nice thing, depending on how you look at it, about webmin is it's in Perl so it's easy to customize and audit (if you have enough time). You could conceivably strip it down to the bare essentials needed and audit it line by line to give you some comfort level. Then run it with selinux enabled and everything properly labeled so if someone does break it they can't get too far. Just make sure for Internet facing services it isn't setup to allow access to essential system configs, where even selinux wouldn't help you. -Ross