This tutorial is a continuation to Setting up Centos 7 as a web server on Time4VPS and migrating websites from a shared hosting provider published earlier on this blog.
Administering Linux servers can be very boring, and spending your days typing in commands in black terminal screens will eventually get to you. Having tools that automate lengthy command line tasks and supplying you with some colorful graphs can sometimes be refreshing and also impress your boss, even though at the back of your mind you always know that when the brown stuff hits the fan, only a brutal terminal session will eventually save the day :).
Tools like Webmin, and PhpMyAdmin are always nice to have around, however these inherently bring with them security concerns due to vulnerabilities they could have inside their code, which you really have no control on. Being very popular tools, also means that their default ports and paths are amongst the first to be scanned when looking for a vulnerability.
In this short tutorial, we will see how install Webmin, on our Centos 7 based web server, but instead of opening up the standard port 10000 to access it from the outside world, we will be accessing it over an SSH tunnel from our windows machine, without opening any extra ports.
This tutorial is based on Centos 7 running on a VPS server, however the methods described can be used on virtually any Linux based server out there. This tutorial assumes you have root access to your server.
We begin by adding the Webmin repo to yum, which is not included as standard.
#sudo vim /etc/yum.repos.d/webmin.repo
and paste the following into the file :-
[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1
Install the GPG key
#rpm --import http://www.webmin.com/jcameron-key.asc
Next we update the repositories
And install webmin
#yum install webmin Resolving Dependencies --> Running transaction check ---> Package webmin.noarch 0:1.831-1 will be installed --> Processing Dependency: perl(Net::SSLeay) for package: webmin-1.831-1.noarch --> Running transaction check ---> Package perl-Net-SSLeay.x86_64 0:1.55-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================== Installing: webmin noarch 1.831-1 Webmin 27 M Installing for dependencies: perl-Net-SSLeay x86_64 1.55-4.el7 base 285 k Transaction Summary =================================================================================================================================================================================== Install 1 Package (+1 Dependent package) Total download size: 27 M Installed size: 76 M Is this ok [y/d/N]: y Downloading packages: (1/2): perl-Net-SSLeay-1.55-4.el7.x86_64.rpm | 285 kB 00:00:00 (2/2): webmin-1.831-1.noarch.rpm | 27 MB 00:00:21 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.2 MB/s | 27 MB 00:00:21 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : perl-Net-SSLeay-1.55-4.el7.x86_64 1/2 Operating system is CentOS Linux Installing : webmin-1.831-1.noarch 2/2 Webmin install complete. You can now login to https://yourserver.com:10000/ as root with your root password. Verifying : webmin-1.831-1.noarch 1/2 Verifying : perl-Net-SSLeay-1.55-4.el7.x86_64 2/2 Installed: webmin.noarch 0:1.831-1 Dependency Installed: perl-Net-SSLeay.x86_64 0:1.55-4.el7 Complete!
Next enable webmin on startup, and start the webmin service.
note : Since webmin is not considered to be a native service, we use chkconfig webmin on instead of the usual systemctl enable webmin to enable webmin on startup. We also start the service using /etc/init.d/webmin start although a systemctl start webmin would also work in most cases
#chkconfig webmin on #/etc/init.d/webmin start
Webmin is now up and running, and will be started automatically next time your server is restarted. We just need to make it accessible to the outside world.
note: If you do not want webmin to start automatically on every boot, do not issue the command chkconfig webmin on. To start and stop the service manually, you can run “/etc/init.d/webmin start” and “/etc/init.d/webmin stop” respectively
Accessing webmin directly from the outside world (Not Recommended)
If you wish to access Webmin directly from any browser connected to the internet all you need to do is open port 10000 to the outside world as follows :-
#firewall-cmd --zone=external --add-port=10000/tcp --permanent
followed by :-
#systemctl restart firewalld
Accessing webmin securely (the proper way)
The recommended method to access webmin (or any other service on your server securely) is to leave the default port (10000 in this case) closed to the outside world, and access webmin via an ssh tunnel. Here is how :-
- If you do not already have it, download a copy of putty – a free ssh and telnet client for windows, from www.putty.org
- If you have downloaded the installer, just go through it and start the program, if you downloaded the executable, copy it to a new folder in your hard drive, and just double click the executable
- In Host Name (or IP address), type in the Host name or ip address of your server
- In Port, type in the SSH port you use to connect to your server
- Connection type: SSH
- In Saved Sessions, type in a name to save the settings you are about to do, I usually use the host name itself.
- Next, from the Category section, click on the + sign near “SSH“, under “Connection“, and select “Tunnels“
- In source port put down 10000
- In destination put 127.0.0.1:10000
- Click the add button, and you should see the line L10000 127.0.0.1:10000 added under Forwarded ports
- Use the scrollbar to scroll back up, and click on Session once again, and hit the “SAVE” button. You should see your settings saved in the “Saved Sessions”
We are now ready to test our connection. Hit the “Open” button, and if your hostname and port are correct, you should be greeted with a back screen with a “login as: ” prompt. Type in your username, and hit the “enter” key.
You will be asked for the password. Type it in, again followed by the “enter” key, and if all goes well, you should be greeted with your server’s $ or # prompt. We are nearly there.
Fire up your favourite browser, and point it to https://127.0.0.1:10000, ignore and bypass the privacy error, and you should be greeted with the webmin login screen
If you have other services installed which normally require you to open new ports to your server, you can add the forwarding rules in putty under ssh->tunnels and save your session accordingly. Using this method the only 3 ports which you need to open in your server’s firewall are ports 80, 433 for http / https traffic, and another port for ssh connections, preferably not the default of 22, again for security reasons.
The services will be available for as long as you keep your putty ssh session open. Once you logout, the services will become unavailable. The next time you need to access the services via the ssh tunnel, simply start up putty, select your “Saved Session”, hit the “LOAD” button, followed by the “OPEN” button, type in your username and passoword … and voila !