This chapter covers the steps you should take to add additional security to Webmin on your system once it has been installed. It explains both IP address restrictions, and the use of SSL.
Unless you are running Webmin on a system that is never connected to any other network, it is a wise idea to restrict which client network addresses are allowed to login. Because Webmin is so powerful, anyone who manages to login will have total control over your system – as though they had root shell access. Even though a username and password is always required to login, it is always good to have an additional layer of security in case an attacker guesses or somehow discovers your password. As well, IP access control protects you from any bugs in Webmin that may show up in future that allow an attacker to login without a password – some older releases have had just this problem.
To restrict which IP addresses and networks Webmin will accept connections from, follow these steps:
- In the Webmin category, click on the icon for the Webmin Configuration module.
- Click on the icon for IP Access Control. The form shown in Figure 3-1 will appear for restricting client IP addresses.
- Select the option Only allow from listed addresses, and in the text box enter the IP addresses or hostnames of client systems that you want to allow access from. If you want to allow access from an entire IP network, enter the address of the network with 0 for the final octet. For example, if you wanted to allow all clients with IP addresses from 192.168.1.0 up to 192.168.0.255, you would enter 192.168.1.0. Networks can also be entered in the standard network/netmask format, like 192.168.1.0/255.255.255.0. You can also grant access from an entire domain by entering a wildcard hostname like *.foo.com, assuming that reverse IP address resolution has been set up for that domain.
- When done, click the Save button to apply your changed. Webmin will warn you if the restrictions would prevent the client system that you are currently running your browser on from logging in, so that you do not accidentally lock yourself out!
If you are accessing your Webmin server over an un-trusted network such as the Internet, you should be aware that by default an attacker could capture your login and password by listening in on network traffic. This is particularly easy if you are using a non-switched Ethernet network shared by people that you do not fully trust, such as in an office or university.
Fortunately, there is a solution that is relatively easy to set up – switching Webmin to use SSL so that all network traffic between your web browser and the server is encrypted. The RPM package of Webmin will run in SSL mode by default if the OpenSSL library and Net::SSLeay Perl module is installed. However, most systems do not meet these requirements, so you will need to follow the steps below to enable SSL:
- Install the OpenSSL library, if you do not already have it. Most recent Linux distributions will include it as standard, but you may have to install it from your distribution CD. If there are separate packages for openssl and openssl-devel, make sure both are installed. If your operating system does not come with OpenSSL, you can download it from http://www.openssl.org/ instead.
- Install the Net::SSLeay Perl module, if it is not already installed. If your system is connected to the Internet, the easiest way to do this is to enter the Perl Modules module of Webmin (under the Others category), enter Net::SSLeay into the From CPAN field and click the Install button. After the Perl module has finished downloading, click on Continue with install to have Webmin automatically compile and install it.
- Once both are installed, go to the Webmin Configuration module and click on SSL Encryption. The form shown in Figure 3-2 will appear.
- In the top part of the page, change the Enable SSL if available? option to Yes, and click Save. If all goes well, Webmin will be switched to SSL mode and your browser will connect to it securely.
- If this is the first time you have connected to Webmin in SSL mode, your browser will display a warning about the certificate being invalid. For now, you can ignore this warning and choose to accept the certificate. For more details, see the next section.
- From now on, when logging into Webmin you must use a URL starting with https:// instead of just http:// . Once in SSL mode, it will no longer accept insecure connections.
- Go back to the SSL Encryption page, and scroll down to the second form. If a warning starting with *Because you are currently using the default Webmin SSL key* is displayed, you definitely should continue following these steps to create your own private SSL certificate and key. However, if it does not appear then a private key was created at installation time and there is no need to go on reading.
- If your system is always accessed using the same hostname in the URL, enter it into the Server name in URL field, such as www.example.com. This will cause the generated certificate to be associated only with that hostname. Otherwise select Any hostname to allow the certificate to used with any URL hostname. This is more convenient, but slightly less secure.
- In the Email address field enter your email address, such as firstname.lastname@example.org.
- If appropriate, fill in the Department field with the name of the department or group within your organization that this system belongs to, such as Network Engineering. This can be left blank if inappropriate, such a on a home system.
- In the Organization field enter the name of the company or organization that owns this system, such as Foo Corporation. Again, this can be left blank if it makes no sense.
- In the State field enter the name of the state that your system is in, such as California.
- In the Country code field enter the two-letter code for the country the system is in, such as US.
- Leave the Write key to file field unchanged, and the *Use new key immediately* field set to Yes.
- Hit the Create Now button to generate a new key and certificate, write them to /etc/webmin/miniserv.pem and immediately activate them. Your browser will probably prompt you again to accept the new certificate.
Older versions of Webmin just used a fixed SSL key that was included as part of the package. However, this was completely useless for securing network traffic, as anyone with a copy of that key can decrypt the data that is supposedly protected with SSL! For this reason recent Webmin version create a new private key at installation time if possible, and warn you if the old fixed SSL key is being used.
Requesting a valid SSL certificate
If you want to use a valid SSL certificate and do not have one for your hostname, it is possible to generate one using the openssl command and a certificate authority. A valid certificate is one that is recognized by all browsers, because it was signed by a recognized authority. Those created by Webmin itself by following the steps in the previous section do not meet this criteria, and so will trigger a warning in all browsers when they connect to the Webmin server.
Unfortunately, certificate authorities charge money for signing and verifying that the owner of the server in the hostname actually matches the company details in the certificate.
Let's Encrypt issues free certificates.
To install a valid certificate from another CA, the steps to follow are:
- At the shell prompt, run the command
openssl genrsa -out key.pem 1024. This will create the file
key.pemwhich is your private key.
- Run the command
openssl req -new -key key.pem -out req.pem. When it asks for the common name, be sure to enter the full hostname of your server as used in the URL, like www.yourserver.com. This will create the file req.pem, which is the certificate signing request (CSR)
- Send the CSR to your certificate authority by whatever method they use. They should send you back a file that starts with
-----BEGIN CERTIFICATE-----which can be put in the file
- In Webmin, enter the Webmin Configuration module and click on SSL Encryption.
- In the SSL Encryption form (shown in Figure 3-2), enter the path to your key.pem file into the Private key file field, and the path to your cert.pem file into the Certificate file field.
- Click the Save button to switch to the new certificate.
From now on, your browser should no longer display a warning when connecting to Webmin in SSL mode.