[CentOS] firewalld management on a headless server

Tue Mar 28 13:35:43 UTC 2017
James B. Byrne <byrnejb at harte-lyne.ca>

On Mon, March 27, 2017 17:31, m.roth at 5-cent.us wrote:
> Mike wrote:
>> Nice catch, Mr. Schumacher --->  The following modules are included
>> as
>> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
>> Configure a Linux firewall using FirewallD, by editing allowed
>> services and ports.
>> This is likely the right tool for the job.
> Webmin used to be considered insecure, and people would scream and
> yell if you suggested using it. Has that changed?

Webmin is as insecure as the administrator cares to make it.

Our host systems' Webmin instances listen on a reserved IP address
different from the host's DNS entry and that address is only reachable
through the host's firewall from specified IP addresses originating on
our internal LAN.  Further, Webmin is configured to automatically
switch to https and use a certificate generated by our corporate
private CA. Our gateway firewall blocks all access to the port
assigned to Webmin.  One has to tunnel in to one of the pre-determined
host addresses to obtain remote access.

A separate webmin logon is set in the webmin configuration which has
no existence on the host system.

Webmin can also be configured to restrict the hours and day that
asccess is allowed to specific users but we have not bothered with

The main known weakness is Webmin's dependency on passwords which for
all I know is due to my ignorance.  If Webmin does support RSA
certificate authentication then I would love to be told where it is
configured.  However,failing that, very long phase phrases mitigate
the password issue somewhat. Further, Webmin does support two-factor
authentication using Google or Authy.

To my knowledge there are no CVEs reported for Webmin since 2015 and I
believe that all known problems are resolved in the present release. 
Which is not to say that there are no exploits left to be uncovered
but then again we can hardly claim that about any software.

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3