HOWTO: Webmin in Ubuntu

[Readis]

First of all, and most important... DON'T use the webmin from apt-get or Synaptic. These are older files, and they will require 'root' as the login. I know, I know... there are ways to login as root, and use root access, but why deal with it? Here is what I have done, and it is much more secure then what you will get with their packages.

Prereqs: Perl 5 interpreter (Should be installed with base system)
libnet-ssleay-perl ( Not install with base system... get with Synaptic)

Download 'webmin-1.170.tar.gz' from www.webmin.com/download.html
-------
cd (location you downloaded to)
sudo tar xzvf webmin-1.170.tar.gz
cd webmin-1.170
sudo sh setup.sh
-------
In the install you will have several choices to make...
-------
Config file directory [/etc/webmin]:
# Leave as default, or change as you wish

Log file directory [/var/webmin]:
# Leave as default, or change as you wish

Full path to perl (default /usr/bin/perl):
# Leave as default, or change as you wish

Operating system:
#Enter '6'

Version:
#Enter '6'

Web server port (default 10000):
# This is where you can start to make webmin more secure then
# the standard install you get with apt-get, Synaptic, or RPM.
# Leave as default or change it to what ever port you want.

Login name (default admin):
# The first time I ran this I thought 'default admin' was 'root'...
# Nope. It is 'admin', so you can leave it as that, or put in
# any name that you like. I would recommend a name that is
# not installed on your system.

Login password:
# By creating the user above and giving it a password, you have
# now made it so you will not need to log into webmin with root.

Password again:
# Self explanatory

## If you did not install 'libnet-ssleay-perl' you will get the following message:
## 'The Perl SSLeay library is not installed. SSL not available.'
## You can continue with the install, but I would not recommend it.
## Install the file with Synaptic, and start the script over.
## You will then get the following:

Use SSL (y/n):
# Of course 'y'

Start Webmin at boot time (y/n):
#Once agian... 'y'

# At this point it is going to configure things, install things, and
# create things... blah blah blah.
# It will then tell you that you can log in to https://hostname:10000
# and to accept the certificate.

There you go... a more secure install of Webmin, and you will not need to go changing root issues on your system. And even if you do... who cares. Webmin won't.

-Readis

[hndrcks]

From webmin MAN page

to change root password in webmin use this included Perl script:

# /usr/share/webmin/changepass.pl /etc/webmin root <your passwordhere>

[jdong]

Yeah, you can specify a separate root password for Webmin!

I'll be backporting the latest Webmin from Sid/Hoary to Warty within the next week or so.

[wayover13]

I don't see why this is more secure: it's sure as heck not as easy as just assigning root a password before installing the regular webmin. That's what I did and it works just fine. Generating a package that integrates better with the Ubuntu way of sudo'ing all root-related tasks would be good though. Webmin should take its password from the user's account rather than from root's somehow. The more serious problem with Ubuntu/Webmin is that Ubuntu uses some non-standard way of dealing with LVM, and thus the Webmin module for LVM admin won't work. A fix for that is what I really need.

[TravisNewman]

Why is it more secure? In the apt-getted one, If someone breaks into webmin they can then gain total control because they know your root password. In the installer script, you can set it up to use SSL. You can make it run on a non-standard port. You can make the name and password something that doesn't exist on your system anywhere (so if anyone breaks your account, they can't get into webmin).

[Readis]

I don't see why this is more secure: it's sure as heck not as easy as just assigning root a password before installing the regular webmin. That's what I did and it works just fine. Generating a package that integrates better with the Ubuntu way of sudo'ing all root-related tasks would be good though.

One of my consulting jobs deals with network security. Firewalls, IDS, internal and external audits... that sort of thing. When an app like Webmin has the kind of power that it has, and is easy to use, you really need to make sure that it is locked down as much as possible. I was always slightly nervous about Webmin only using root as a login. When I would do an external scan on a client, if I saw webmin open on port 10000, and we always scaned for 10000 since it is the default port, we always knew that 99 out of 100 times root would be the login. By knowing the user, you just cut your attack time WAY down! At that point we could, if we wanted, brute force or low and slow the port, to see if we could get in. Don't freak out. We always had permission and a signed document that allowed this kind of work. The smart ones would have webmin on a different port. But most installed it from apt-get, RPM, or some other repository. I didn't realize that the script existed until I started using Ubuntu.
Packages are great for 999 of 1000 apps. It allows you to see how a program works, and see if it is something that you want to use. But when it comes to security, I am not a huge fan of using them for this type of app. If you want to run the package of Webmin, be my guest. That is one of the things about Linux I love. The ability to set things up the way you want. Just remember it is not as secure as the install script.
I would also recommend changing the retrys and lockoput time period in the webmin options. That's my 2 cents...

-Readis

[jdong]

Umm, webmin locks out the offender's IP after 3 incorrect logins... It'd take quite a number of IP's , and quite a bit of time to launch a brute force attack.

[Readis]

Umm, webmin locks out the offender's IP after 3 incorrect logins... It'd take quite a number of IP's , and quite a bit of time to launch a brute force attack.

Actually, the default for Webmin is set at 5 attempts and then lockout for 60 seconds... though I do change mine to 3 attempts and 180 seconds...

-Readis

[jdong]

either case, do the math.

How long will it take to permute an 8-character purely alphabetic password?

[quackking]

I've got 1.17.0 installed - but how can I get Ubuntu listed as a distribution in the Webmin Config page? If I configure the system as Debian 3.1 it does not really work (or there are some oddities.) Is there some config file I can download to make Ubuntu appear in the drop-down list of distros?

Also, has anybody Ubuntu-ported the Log Viewer module which comes with Mandrake? I have gotten used to it - but it seems the Russian web page which looks to be the source for the module is of the air.