Installing and Securing Webmin on your Centos Web Server

This tutorial is a continuation to Setting up Centos 7 as a web server on Time4VPS and migrating websites from a shared hosting provider published earlier on this blog.

Administering Linux servers can be very boring, and spending your days typing in commands in black terminal screens will eventually get to you. Having tools that automate lengthy command line tasks and supplying you with some colorful graphs can sometimes be refreshing and also impress your boss, even though at the back of your mind you always know that when the brown stuff hits the fan, only a brutal terminal session will eventually save the day :).

Tools like Webmin, and PhpMyAdmin are always nice to have around, however these inherently bring with them security concerns due to  vulnerabilities they could have inside their code, which you really have no control on. Being very popular tools, also means that their default ports and paths are amongst the first to be scanned when looking for a vulnerability.

In this short tutorial, we will see how install Webmin, on our Centos 7 based web server, but instead of opening up the standard port 10000 to access it from the outside world, we will be accessing it over an SSH tunnel from our windows machine, without opening any extra ports.

This tutorial is based on Centos 7 running on a VPS server,  however the methods described can be used on virtually any Linux based server out there. This tutorial assumes you have root access to your server.

We begin by adding the Webmin repo to  yum, which is not included as standard.

#sudo vim /etc/yum.repos.d/webmin.repo

and paste the following into the file :-

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

Install the GPG key

#rpm --import http://www.webmin.com/jcameron-key.asc

Next we update the repositories

#yum check-update

And install webmin

#yum install webmin
Resolving Dependencies
--> Running transaction check
---> Package webmin.noarch 0:1.831-1 will be installed
--> Processing Dependency: perl(Net::SSLeay) for package: webmin-1.831-1.noarch
--> Running transaction check
---> Package perl-Net-SSLeay.x86_64 0:1.55-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================
 Package                                         Arch                                   Version                                       Repository                              Size
===================================================================================================================================================================================
Installing:
 webmin                                          noarch                                 1.831-1                                       Webmin                                  27 M
Installing for dependencies:
 perl-Net-SSLeay                                 x86_64                                 1.55-4.el7                                    base                                   285 k

Transaction Summary
===================================================================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 27 M
Installed size: 76 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): perl-Net-SSLeay-1.55-4.el7.x86_64.rpm                                                                                                                | 285 kB  00:00:00
(2/2): webmin-1.831-1.noarch.rpm                                                                                                                            |  27 MB  00:00:21
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                              1.2 MB/s |  27 MB  00:00:21
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : perl-Net-SSLeay-1.55-4.el7.x86_64                                                                                                                               1/2
Operating system is CentOS Linux
  Installing : webmin-1.831-1.noarch                                                                                                                                           2/2
Webmin install complete. You can now login to https://yourserver.com:10000/
as root with your root password.
  Verifying  : webmin-1.831-1.noarch                                                                                                                                           1/2
  Verifying  : perl-Net-SSLeay-1.55-4.el7.x86_64                                                                                                                               2/2

Installed:
  webmin.noarch 0:1.831-1

Dependency Installed:
  perl-Net-SSLeay.x86_64 0:1.55-4.el7

Complete!

Next enable webmin on startup, and start the webmin service.

note : Since webmin is not considered to be a native service, we use chkconfig webmin on instead of the usual systemctl enable webmin to enable webmin on startup. We also start the service using /etc/init.d/webmin start although a systemctl start webmin would also work in most cases

#chkconfig webmin on       
#/etc/init.d/webmin start

Webmin is now up and running, and will be started automatically next time your server is restarted. We just need to make it accessible to the outside world.

note: If you do not want webmin to start automatically on every boot, do not issue the command chkconfig webmin on. To start and stop the service manually, you can run “/etc/init.d/webmin start” and “/etc/init.d/webmin stop” respectively

Accessing webmin directly from the outside world (Not Recommended)

If you wish to access Webmin  directly from any browser connected to the internet all you need to do is open port 10000 to the outside world as follows :-

#firewall-cmd --zone=external --add-port=10000/tcp --permanent

followed by :-

#systemctl restart firewalld

As already stated, this is NOT recommended. Keep in mind that port 10000 is amongst the first ports to be scanned during a port scan, and finding port 10000 open is one step closer to gaining access to your server. At the very least use a different port other than the default 10000, ensure you use strong passwords, and restrict access to the least number of users possible (and most difinitely not root). Also make sure you always use https connections, especially if you need to access the server from a public place using an unknown wifi service.

Accessing webmin securely (the proper way)

The recommended method to access webmin (or any other service on your server securely)  is to leave the default port (10000 in this case) closed to the outside world, and access webmin via an ssh tunnel. Here is how :-

  • If you do not already have it, download a copy of putty – a free ssh and telnet client for windows, from www.putty.org
  • If you have downloaded the installer, just go through it and start the program, if you downloaded the executable, copy it to a new folder in your hard drive, and just double click the executable
  • In Host Name (or IP address), type in the Host name or ip address of your server
  • In Port, type in the SSH port you use to connect to your server
  • Connection type: SSH
  • In Saved Sessions, type in a name to save the settings you are about to do, I usually use the host name itself.

  • Next, from the Category section, click on the + sign near “SSH“, under “Connection“, and select “Tunnels
  • In source port put down 10000
  • In destination put 127.0.0.1:10000

  • Click the add button, and you should see the line L10000   127.0.0.1:10000 added under Forwarded ports

  • Use the scrollbar to scroll back up, and click on Session once again, and hit the “SAVE” button. You should see your settings saved in the “Saved Sessions”

We are now ready to test our connection. Hit the “Open” button, and if your hostname and port are correct, you should be greeted with a back screen with a “login as: ” prompt. Type in your username, and hit the “enter” key.

You will be asked for the password. Type it in, again followed by the “enter” key, and if all goes well, you should be greeted with your server’s $ or # prompt. We are nearly there.

Fire up your favourite browser, and point it to https://127.0.0.1:10000, ignore and bypass the privacy error, and you should be greeted with the webmin login screen

Note : If you want to access webmin over http to avoid the security warnings, you can edit /etc/webmin/miniserv.conf on the server and change the line ssl=1 to ssl=0. This will not have any effect on the security since we are still accessing our server securely via our ssh tunnel.

If you have other services installed which normally require you to open new ports to your server, you can add the forwarding rules in putty under ssh->tunnels and save your session accordingly. Using this method the only 3 ports which you need to open in your server’s firewall are ports 80, 433 for http / https traffic, and another port for ssh connections, preferably not the default of 22, again for security reasons.

The services will be available for as long as you keep your putty ssh session open. Once you logout, the services will become unavailable. The next time you need to access the services via the ssh tunnel, simply start up putty, select your “Saved Session”, hit the “LOAD” button, followed by the “OPEN” button, type in your username and passoword … and voila !

 

 

Leave a reply:

Your email address will not be published.

Site Footer