Hello all,
Firstly, I have only been using Virtualmin for a few weeks and was quite sceptical before I first installed the GPL version. Now a few weeks later I'm already on the pro version and could not be more impressed. It's excellent.
Now to get to the point.
I'd like to add a further layer of security to the VM web interface. I'll say right now that there have been no attempts at breaking into it or any such thing, I'm just very security conscious and so want to add another layer just for my own peace of paranoid mind. :)
So I'm just asking for suggestions as to good ways of going about doing this.
Another password (even just an htaccess type p/w restriction - before - the normal interface password screen) would probably be good enough, but I thought I'd throw the idea out onto the forums here and see what anyone came up with (Joe? Eric?).
Thanks! :)
Aside: Please hurry with the new website and forums, this one is driving me nuts. ;)
<div class='quote'>Aside: Please hurry with the new website and forums, this one is driving me nuts. ;) </div>
I assure you that few people are more annoyed at the forums than Joe -- so he's quite motivated to get that resolved :-) It's a lot of work, but he's hoping to have it ready soon!
<div class='quote'>I'd like to add a further layer of security to the VM web interface. I'll say right now that there have been no attempts at breaking into it or any such thing, I'm just very security conscious and so want to add another layer just for my own peace of paranoid mind. :)</div>
Well, I don't know of a way to add an additional password.
There are some other tools available to you though. In Webmin -> Webmin -> Authentication, you can play with some of those options. For example, you may want to make sure hosts are blocked for some amount of time after N failed login attempts.
If you have a small number of users who will be accessing Webmin from the same location each time, you could always enable the IP Address restrictions in the IP Access Control area.
Some people change the port from 10000 to some other random number to avoid bots looking for Webmin installs.
I would also make sure access to Webmin/Virtualmin is made over SSL.
Just some thoughts -- have a good weekend!
-Eric
<div class='quote'>Aside: Please hurry with the new website and forums, this one is driving me nuts.</div>
Hey Cap'n, why do you have a steering wheel in your pants?
<div class='quote'>I assure you that few people are more annoyed at the forums than Joe</div>
Yep, I've written thousands of posts on this abomination. We will soon have something much much better. I just started writing the data migration tools today. Barring troubles, Sunday or Monday night will be the switchover.
--
Check out the forum guidelines!
http://doxfer.com/Webmin/SecuringWebmin
There's also a few additional capabilities in Webmin for security...you might consider using certificates for logins (particularly for root). A certificate is dramatically more secure than a password (it's like having a password that's hundreds of characters long and completely random).
There's quite a bit of security functionality built in to Webmin. The only benefit to only allowing proxied access to Webmin and using HTTP authentication on top of the session authentication would be in the event Webmin itself has a vulnerability.
While it's entirely plausible that Webmin will have new vulnerabilities discovered in the future, it's been over three years since the last serious exploit was discovered (and fixed). And it's definitely not for lack of trying...crackers and security experts alike are always looking for ways to break Webmin. It's installed on millions of machines, and runs as root. It is one of the most attractive targets in the world for crackers (right up there with sshd). So, we don't have security by obscurity going for us. Webmin actually has to be secure, or it will be broken, just like sshd. And, if we're counting, Webmin in the past several years has a security history roughly on par with OpenSSH, which is pretty damned good.
--
Check out the forum guidelines!
<div class='quote'>There are some other tools available to you though. In Webmin -> Webmin -> Authentication, you can play with some of those options. For example, you may want to make sure hosts are blocked for some amount of time after N failed login attempts.</div>
Ah, Webmin already has that built in? I originally installed Webmin alone quite some time ago on top of my already set up server and never noticed that as I, well, never really looked for that functionality in Webmin!
That's quite interesting actually as I have, and have had for a long time, Fail2Ban running and doing the same thing as Webmin in that regard - and Webmin's version of F2B was already enabled, too - so I'm quite surprised that they haven't clashed at some point.
On second look, I see I have Fail2Ban set at 4 attempts and Webmin is set at 5, so maybe they just, by luck, never noticed each other.
Ok, well, having now properly seen that bunch of options in Webmin that answers my question straight off and I'll add/enable some things there (if I even need too now, at a glance it would seem probably not).
Thanks for the reply Eric.
Joe: Can't reply to you easily in this thread in this same reply as the forums are so bad. :)
Your points are taken, and I see what you mean re. Webmin being a target and it's great security record. The rest of your reply was interesting too. Thanks for that.
As for the steering wheel joke. Very good. :-)
Thanks both.