[CentOS] firewalld management on a headless server

Tue Mar 28 18:09:32 UTC 2017
m.roth at 5-cent.us <m.roth at 5-cent.us>

James B. Byrne wrote:
> On Mon, March 27, 2017 17:31, m.roth at 5-cent.us wrote:
>> Mike wrote:
>>> Nice catch, Mr. Schumacher --->  The following modules are included as
standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
Configure a Linux firewall using FirewallD, by editing allowed
services and ports.
>>> This is likely the right tool for the job.
>> Webmin used to be considered insecure, and people would scream and yell
if you suggested using it. Has that changed?
> Webmin is as insecure as the administrator cares to make it.
> Our host systems' Webmin instances listen on a reserved IP address
different from the host's DNS entry and that address is only reachable
through the host's firewall from specified IP addresses originating on
our internal LAN.  Further, Webmin is configured to automatically switch
to https and use a certificate generated by our corporate private CA.
Our gateway firewall blocks all access to the port
> assigned to Webmin.  One has to tunnel in to one of the pre-determined
host addresses to obtain remote access.
> A separate webmin logon is set in the webmin configuration which has no
existence on the host system.
> Webmin can also be configured to restrict the hours and day that asccess
is allowed to specific users but we have not bothered with that.
> The main known weakness is Webmin's dependency on passwords which for
all I know is due to my ignorance.  If Webmin does support RSA
> certificate authentication then I would love to be told where it is
configured.  However,failing that, very long phase phrases mitigate the
password issue somewhat. Further, Webmin does support two-factor
authentication using Google or Authy.
> To my knowledge there are no CVEs reported for Webmin since 2015 and I
believe that all known problems are resolved in the present release.
Which is not to say that there are no exploits left to be uncovered but
then again we can hardly claim that about any software.
Thanks for the extended response, James, esp. that last paragraph. I
hadn't been following webmin for a number of years - we don't use it here.
I did find and use it in a job I was in ten years ago - it was the only
way I could get LDAP working, as, at the time, the tools that came with
the package were *not* ready for prime time....


PS: Tried reply, James, but it bounced.