Webmin: Simple, Secure Linux Management

By Carla Schroder | Sep 20, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3550291/Webmin-Simple-Secure-Linux-Management.htm

Oldtyme Unix and Linux geeks love to rail endlessly about the wonders of the command line, and the perfect awfulness of graphical interfaces for system administration. It is true that the full power of an operating system is found at the command line, and that it is difficult for a GUI to include all the available command options and script-ability of the CLI. And running X Window on a server is rather silly — a waste of system resources and unnecessary complexity.

But different folks are comfortable with different tools &emdash for example, I can't imagine trying to get along without a graphical file browser. Typing long filepaths and complex commands that can be handled with simple drag-n-drop is not a good use of my time. And even if it weren't more efficient, it's my choice, and by dang that's all anyone else needs to know about it.

Which is my roundabout introduction to Webmin. Webmin is a great all-in-one graphical configurator that can be used to configure and monitor servers, system files, networking, and hardware &emdash in short, everything. Unlike other GUI system administration tools, Webmin directly edits program configuration files. This means you can use Webmin, and you can edit the files directly, and Webmin won't mind. Most other GUI configuration tools will overwrite your manual changes and conflict with each other, which is an unfriendly and unnecessarily limiting thing to do. It supports scripting, and the actual files are shown inside Webmin.

Webmin is accessible via any Web browser, and the current edition uses SSL to encrypt Webmin logins. Webmin is a collection of Perl 5 CGI scripts, so any Perl guru, or indeed anyone with moderate Perl skillz, can modify Webmin or write new modules fairly easily. It includes its own HTTP server, which is lovely for those of us who don't want to hassle with installing and integrating a separate HTTP server.

What Webmin is Not
Don't fire up Webmin expecting some sort of "system administration for dummies" experience. You still need to know what you're doing. Webmin makes it easier with a friendly consistent interface, drop-down lists of commands, checkboxes and other useful time-savers.

Installing Webmin
Webmin runs on every Linux and Unix there is. Only certain versions are officially supported, but I've yet to find one that didn't work. RPMs and source tarballs can be downloaded from webmin.com/download.html. Be sure you have Perl 5, the Net::SSLeay Perl module and OpenSSL already installed. The RPM is a big bugger containing everything in the world, weighing in at over 9 megabytes, and installing to 25-30 megabytes. If you want a slimmer install, download the -minimal.tar.gz tarball, then add the modules you need after installation. (See the Webmin front page for links to standard and third-party modules.)

Debian users need only to apt-get install webmin webmin-core to get started. Debian breaks Webmin into a herd of separate modules, so you can easily customize your installation.

After installation type https://localhost:10000 into a browser to get to the Webmin login page. Login as root, and let the fun begin.

Package installations will set up SSL certificates for you, so you don't have to worry about manually configuring SSL. If you need to generate and install new keys, see chapters 3.2 and 51 in the excellent Managing Linux Systems with Webmin by Jamie Cameron.

Jamie is the author of Webmin. He has generously made his book available online for free. If you use and enjoy Webmin, I suggest buying a copy of the book to help support it. It's a well-written, thorough reference, including both administration and how to write your own modules.

Adding Modules
Adding additional modules is as easy as falling asleep. Easier, even, if you're the stressed-out type who doesn't sleep well. Webmin modules have a .wbm extension. Download your shiny new module, then go to Webmin -> Webmin Configuration -> Webmin Modules to install it.

First Steps
Read the fine manuals and FAQs. While Webmin has a great interface where you can click and guess your way through a lot of things, you'll cut down errors and frustration considerably by doing things the right way.

Before you do anything else, change the session timeout. On some systems the default is to log you out after five minutes of inactivity, which will drive you nuts while you're still getting the hang of using it. Go to the Webmin tab -> Webmin configuration -> Authentication -> Auto-logout after [foo] minutes of inactivity.

Next, create at least one administrative user for Webmin, because using your system root account is not a good idea, in Webmin -> Webmin Users. Webmin users can be granted fine-grained access controls, even to the point of being allowed to control only a limited set of server or system functions.

Basic Webmin Security
Webmin comes with some built-in access controls. It is wise to use these, especially if your LAN is connected to the Internet. If you're using Webmin only for localhost, go to Webmin -> Webmin configuration -> IP Access Control, check "Only allow from listed addresses", and enter "localhost."

The default port for Webmin is 10000. This is configurable to whatever port you want. Some howtos recommend changing it to fool intruders. Changing port numbers doesn't fool leet crackers, because it doesn't fool portscanners. Better reasons to change the port number are to suit your own needs; maybe you want other ports for testing, or you have lucky numbers, or some such. One security reason is to use a port number under 1024. These ports are accessible only by programs that run with root permissions. The higher ports are open to use by anyone, so theoretically a malicious user could set up their own server at port 10000 and capture your Webmin logins. But using SSL will foil this nefarious scheme.

Continued on page 2: Recovering Lost Passwords

Continued From Page 1

Lost Password
Webmin comes with a script for restoring a lost Webmin password. (Which once again illustrates the moldy old Unix dictum, "Those who have physical access to the box own it.") For example, suppose you created the "webminadmin" user and then lost the password. Change it with the changepass.pl script:

# /usr/share/webmin/changepass.pl /etc/webmin webminadmin newpassword

The location of this script may be somewhere else on your system; this example is from Debian.

Remote Administration
Webmin is great for administering headless boxes and servers that do not run X Window. You don't have to hassle with something like ncurses to get a nice GUI on an X-less box. Webmin needs to be installed only on the servers; all you need on your remote box is a Web browser. It doesn't even need to be a graphical browser, text browsers like Lynx, Links and Elinks work fine.

Connect to your server with the hostname or IP address:

$ https://stinkpad:10000

If you aren't using SSL, it's http. To connect across the Internet use the fully-qualified domain name:

$ https://stinkpad.carla.com:10000

You definitely don't want to do that on an unencrypted connection. It's a good idea to refine your IP access controls; ideally you'll be able to strictly limit access. This example shows how to allow local LAN access, specific outside IPs and domains:

localhost
192.168.1.0
209.8.234.9
*.carla.com

Webmin gives you the best of both GUI and CLI worlds. Don't let stuffy command-line commandos deter you from giving it a try.

Resources