James B. Byrne wrote: > > On Mon, March 27, 2017 17:31, m.roth at 5-cent.us wrote: >> Mike wrote: >>> Nice catch, Mr. Schumacher ---> The following modules are included as standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz Configure a Linux firewall using FirewallD, by editing allowed services and ports. >>> >>> This is likely the right tool for the job. >>> >> Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed? > > Webmin is as insecure as the administrator cares to make it. > > Our host systems' Webmin instances listen on a reserved IP address different from the host's DNS entry and that address is only reachable through the host's firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port > assigned to Webmin. One has to tunnel in to one of the pre-determined host addresses to obtain remote access. > > A separate webmin logon is set in the webmin configuration which has no existence on the host system. > > Webmin can also be configured to restrict the hours and day that asccess is allowed to specific users but we have not bothered with that. > > The main known weakness is Webmin's dependency on passwords which for all I know is due to my ignorance. If Webmin does support RSA > certificate authentication then I would love to be told where it is configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy. > > To my knowledge there are no CVEs reported for Webmin since 2015 and I believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software. > Thanks for the extended response, James, esp. that last paragraph. I hadn't been following webmin for a number of years - we don't use it here. I did find and use it in a job I was in ten years ago - it was the only way I could get LDAP working, as, at the time, the tools that came with the package were *not* ready for prime time.... mark PS: Tried reply, James, but it bounced.