Connection from cloudmin to webmin

10 posts / 0 new
Last post
#1 Sat, 02/20/2010 - 03:22
datenimperator

Connection from cloudmin to webmin

Hi all,

on most systems, I don't fancy the idea of exposing the webmin port 10000 directly to the outside world. Instead, I have webmin/virtualmin running on localhost:10000 and connect through SSH or an apache-proxy frontend.

Unfortunately, Cloudmin doesn't seem to be able to connect to such systems. It can SSH into the box, but tries to connect to the same hostname for webmin, which doesn't work. (Since webmin doesn't bind to anything else than 127.0.0.1)

Any chance to sort that out without changing firewalls and such to allow direct connections to port 10000?

Kind regards,

Christian

Sun, 02/21/2010 - 23:45
JamieCameron

You could support this by having Cloudmin connect to port 80, and configuring Apache to forward that to port 10000. Or you could run Webmin on port 10000, but firewall all connections from IPs other than 127.0.0.1 and the Cloudmin master ..

''

Mon, 02/22/2010 - 01:52 (Reply to #2)
datenimperator

Jamie,

thanks for your response. I'd use Cloudmin to help me manage a bunch of webmin/virtualmin enabled systems that are located at customer sites. I'm responsible for updating the system, looking at logfiles and such, and Cloudmin could help me with that.

However, in none of my use cases Cloudmin is able to connect properly:

(1) Webmin on localhost:10000 This is most common: You can SSH into the box and use IP forwarding, but aren't able to connect directly to port 10000 (or: anything else than 22/80/443) Cloudmin could either run webmin executables over SSH (directly or using wget/curl onthe remote machine) or forward a port over SSH to access the http frontend on 127.0.0.1

(2) Webmin behind NAT Second most important: A remote network is accessible over SSH or VPN (PPTP in this case, could be IPsec). The remote router is accessible using scenario (1), others are behind it. These machines could either be webmin links accessible from the router, or you could chain SSH into the destination.

I'm not aware if Cloudmin is connecting to the remote webmin directly today, or if it's already using the SSH link for it. Any chance to see my two use cases supported any time soon? I'd happily renew my Cloudmin license in that case, because it could help me tremendously.

Regards,

Christian

Mon, 02/22/2010 - 12:02 (Reply to #3)
JamieCameron

Currently, Cloudmin always connects directly to port 10000 on the remote system, and doesn't yet have any way to tunnel this via SSH. However, that is something which could be theoretically implemented..

One option you may consider is to have Cloudmin not try to connect to Webmin at all, since it isn't needed for most cases. Unless you are also running Virtualmin on the remote hosts, and want to use Cloudmin for domain management.

Failing that, I would recommend setting up port forwarding or a firewall rule to allow port 10000 connections from the master system only.

''

Tue, 02/23/2010 - 01:59 (Reply to #4)
datenimperator

The master system running Cloudmin is connected using a cable modem and changes its IP address every now and then. IP-based firewall rules aren't a proper option, though. Plus, I don't have access to all firewall configurations, accessible ports are limited on some systems.

I've no idea how your code base looks like, regarding connections from Cloudmin to others, so I can't say whether that would be a major achievement to implement. But I can say that I'd be happy like a kid having one central place to control system upgrades (APT, yum) for a number of connected servers. Currently, that's not possible with Cloudmin having just a SSH connection.

So if there's any chance of getting this particular feature any time soon, that'd be great. Regards,

Christian

Thu, 02/25/2010 - 12:29 (Reply to #5)
MACscr

Yes its possible. I have about 15 servers in my cloudmin setup that are ssh access only and do not have webmin even installed on those hosts (they are cpanel servers mostly). You can easily run commands to all systems at the same time or to certain groups or certain servers, etc, such as 'yum update -y'. I absolutely LOVE the "run commands" feature of cloudmin. While it might not be as point and click as you might like, it might at least hold you over until Jaime implements a work around.

Also, as far as working with dynamic ip's and firewall rules, I use CSF and wrote a little script that runs every 5 minutes through a cron job. It pings the domain i have assigned to my dynamic ip address. If it notices that the ip assigned to that domain is different then the allowed ip i have in the firewall rules, it simply removes that old ip and adds the new ip. While not ideal, it works perfectly and allows me to access cloudmin from my laptop or cell phone when out and about.

Tue, 03/02/2010 - 11:43 (Reply to #6)
datenimperator

Thanks for the hint about the "run commands" feature, I wasn't aware of that. It help's me with those systems accessible via direct SSH, but not with those that are behind a firewall (you'd need to chain SSH connections or use a VPN)

Another issue is that while Cloudmin allows me to use another SSH username than root, it doesn't know how to handle it. There's no sudo or else.

Direct root logins aren't permitted on most of my systems, and that's for a good reason.

So Cloudmin functionality is somewhat limited when used as a pure maintenance tool, right? Regards,

Christian

Tue, 03/02/2010 - 11:49
andreychek

Direct root logins aren't permitted on most of my systems, and that's for a good reason.

Perhaps a compromise there would be to set the sshd_config parameter "PermitRootLogin" to "without-password".

That would prevent brute force password attempts on your root account by not allowing root to login using a password... but would continue to allow root logins if an SSH key is involved, which is considered to be more secure.

-Eric

Thu, 03/04/2010 - 03:33 (Reply to #8)
datenimperator

Hi Eric,

you're right, and I'm not up niggling about Cloudmin, as it works pretty well for setting up and controlling a bunch of (virtual) servers.

It's just that I'd find it particularly useful if you think about Cloudmin as a more general means to remote control instances of webmin/virtualmin (with focus on maintenance)

Currently, I'm responsible for almost a dozen servers, some of them I'm only granted a (sudo-able) SSH account. Surely, I could reconfigure the SSH daemon, but that's not the point: It's up to me as a consultant to deal with the restrictions that apply for a particular customer system, and if Cloudmin is the tool of choice to help me with that, it should play nicely instead of requiring me to change stuff.

Plus, on some systems it simply isn't feasible to request a change in network infrastructure (like, open firewall ports) because customer policies don't permit that.

All the best,

Christian

Thu, 03/04/2010 - 11:42 (Reply to #9)
JamieCameron

The main reason why Cloudmin doesn't support sudo yet is that it cannot be used when copying files as root to or from a managed system. In many cases Cloudmin needs to fetch or edit root-owned files on a remote system, which it does using scp - and as far as I know, there is no equivalent concept to sudo for scp.

''

Topic locked