[CentOS] editing bind (DNS) configuration under CentOS 6

James B. Byrne byrnejb at harte-lyne.ca
Wed May 2 16:58:37 UTC 2012


On Wed, May 2, 2012 09:15, Karanbir Singh wrote:
> On 05/02/2012 02:09 PM, Nux! wrote:
>>> it manually? That is doable, of course, but kind of cumbersome.
>>> Does
>>> anybody know if there is a tool we are expected to use for that
>>> purpose?
>>
>> If you're afraid of "vi", I can recommend webmin.
>> http://dl.nux.ro/rpm/webmin.repo
>>
>
> and then you have 2 problems, one of which is a security hole.
>
> I've mostly just gone to using nsupdate  from the cli for all zone
> edits in bind zones. if you ever need the clear zone file, its
> easily dumped out with rndc - works, and you can do some fairly
> complex things in a clear and simple transaction manner ( plus,
> easily automated  from other scripts / code for more win )
>

For those of us not blessed with either the depth of experience or the
time required to master every single idiosyncratic cli for each one of
the the very many system daemons we are required to administer Webmin
is an excellent alternative to daily trips into the arcane.  Any
security issue respecting access to Webmin is handled simply and
efficiently in three steps:

1.  Set IPTables, or whatever firewall you employ, to block all access
to webmin's listening port (default 10000) from addresses outside your
local lan or from any but a specific host address.  Do this first and
reload the firewall rules.

2. Install and immediately configure Webmin to use https only.  This
can be done from the command line using any convenient editor by
editing the following three lines in /etc/webmin/miniserv.conf:

keyfile=/etc/webmin/miniserv.pem
ssl=1
ssl_redirect=1

3. Create a secure tunnel to an address inside your firewall that is
permitted access to webmin using whatever means you find convenient. 
I use SOCKS via "ssh -D 2001 user at host" with RSA certs and Firefox
configured to use the SOCKS proxy on my local host.  VPN or other
techniques will work as well, if not better.  But SOCKS over ssh works
well enough for my purposes.

This will get you up and going without ever having to pass credentials
to webmin over the wire enclair.

Webmin has the virtue of being remarkably easy to setup and simplifies
most abuse configuration issues on a wide variety of services.  For
one, it usually handles which files require which configuration
options. It does not, and cannot, cover every eventuality. But, for
basic setup and ongoing control of the main system services running on
most mainline Linux distros Webmin works most admirably in my
experience.  It certainly saves me a great deal of time and
frustration.

I would not give access to Webmin to anyone that did not already have
root access to that server.  But, if they already have root then I see
no reason to make their work any harder than it needsbe.

One caution.  Webmin is a powerful tool.  If you do not know what you
are doing then you can hurt yourself very badly with it.  On the other
hand I have made serious configuration errors with an editor some of
which were just spelling mistakes; a problem that Webmin mostly
avoids.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list