Man oh man... if anyone didn't know about this package before, they should. Talk about EASY Linux administration. You want users to flock to Linux system administration? Tell them about this program!

WebMin (http://webmin.com)

This has suddenly revived my faith that Linux might be usable after all ... :)

About time someone else found this.

got it today and installed it, and as u say wow, talk about making linux admin so much easier for the linux newbie like me,every1 has to get it

Heh. Unless you don't want random people sniffing your root password, go ahead and install it.

Yeah, it can be nice, but for security's sake, it should be disabled by default (not that a lot of distros do that, of course :rolleyes: -- this is also most of the reason that distros like Debian don't have it by default). Come on -- letting anyone that can guess (or worse yet, put their NIC into promiscuous mode on your local cable modem segment and listening for packets bound for your machine, and therefore sniff) the root password remotely change all kinds of things on your machine? Sorry, but I think that that specific tradeoff is too far one way.

There will always be a tradeoff between usability and security, of course. I just happen to think that this specific package goes a bit too far one way.

At absolute minimum, block the webmin port from any IP other than a trusted one, or any IP outside your local segment, with some sort of firewall...

My distro (Caldera) has always included Webmin.

Originally posted by bwkaz
Heh. Unless you don't want random people sniffing your root password, go ahead and install it.

Yeah, it can be nice, but for security's sake, it should be disabled by default (not that a lot of distros do that, of course :rolleyes: -- this is also most of the reason that distros like Debian don't have it by default). Come on -- letting anyone that can guess (or worse yet, put their NIC into promiscuous mode on your local cable modem segment and listening for packets bound for your machine, and therefore sniff) the root password remotely change all kinds of things on your machine? Sorry, but I think that that specific tradeoff is too far one way.

There will always be a tradeoff between usability and security, of course. I just happen to think that this specific package goes a bit too far one way.

At absolute minimum, block the webmin port from any IP other than a trusted one, or any IP outside your local segment, with some sort of firewall...

good advice, but if any1 is stupid enough in the first place not to have a firewall up and correctly configured ,when they run a server then they deserve to get hacked

uumm, I don't agree. One of the most talked about things on any forum or message board is to RTFM. The security of webmin is in the first paragraphs. AT WHICH POINT, if you didnt read the manual or the readme, then your asking for problems.

ALWAYS RTFM as it will save your machine one day.

Originally posted by unixtool
uumm, I don't agree. One of the most talked about things on any forum or message board is to RTFM. The security of webmin is in the first paragraphs. AT WHICH POINT, if you didnt read the manual or the readme, then your asking for problems.

ALWAYS RTFM as it will save your machine one day.

not a very constructive reply ,
but to probably clarfiy what u r saying , just activate ssl in webmin config to encrypt the passwords etc so they cant be captured

When you open up the webmin interface in a browser, what URL do you use? http://localhost:<webmin port>/? If so, then your passwords won't be encrypted, as you do not have an SSL connection set up yet when it asks for your password.

You can tunnel webmin through a program like stunnel, to create an SSL connection from the beginning (like I do with SWAT when I have it running -- which actually isn't often anymore). That is more secure against sniffers, but it takes quite a bit of work to get set up...

If you do use https://localhost:<webmin port>/, then I'll have to admit that the people that wrote Webmin are a lot smarter than I thought...

Originally posted by bwkaz

If you do use https://localhost:<webmin port>/, then I'll have to admit that the people that wrote Webmin are a lot smarter than I thought...

That's what I use... :)

Originally posted by bwkaz


If you do use https://localhost:<webmin port>/, then I'll have to admit that the people that wrote Webmin are a lot smarter than I thought...

just finished install perl ssl support and no wi use https://:D

Originally posted by bwkaz
Heh. Unless you [b]don't want random people sniffing your root password, go ahead and install it.

Yeah, it can be nice, but for security's sake, it should be disabled by default

(snip)

Come on -- letting anyone that can guess (or worse yet, put their NIC into promiscuous mode on your local cable modem segment and listening for packets bound for your machine, and therefore sniff) the root password remotely change all kinds of things on your machine? Sorry, but I think that that specific tradeoff is too far one way.

(snip)



Paranoia is nice and fine and everything, but Webmin as a learning tool beats airtight security anyday if (a) it's not installed on a critical system, and (b) it's used as a learning tool to acclimate one's self with administration.

For those who are learning to work with different systems and daemons and packages in Linux, the entire thing can be daunting to newcomers. This utility lowers the learning time a little bit (considering the scarcity of documentation for some packages).

Ehhh, it would be a good learning tool as long as it told you what it was doing, so you would be able to learn how to make those changes yourself. However, unless I'm mistaken, it doesn't do that... right?

it is a waste or resources unless you run it from inetd or xinetd.

i personally don't run it on my workstation (isn't usermin for local admin?) but i do use it on my (firewalled from the Internet) LAN on my server.