Re: firewalld management on a headless server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Mon, March 27, 2017 17:31, m.roth@xxxxxxxxx wrote:
> Mike wrote:
>> Nice catch, Mr. Schumacher --->  The following modules are included
>> as
>> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
>> Configure a Linux firewall using FirewallD, by editing allowed
>> services and ports.
>>
>> This is likely the right tool for the job.
>>
> Webmin used to be considered insecure, and people would scream and
> yell if you suggested using it. Has that changed?

Webmin is as insecure as the administrator cares to make it.

Our host systems' Webmin instances listen on a reserved IP address
different from the host's DNS entry and that address is only reachable
through the host's firewall from specified IP addresses originating on
our internal LAN.  Further, Webmin is configured to automatically
switch to https and use a certificate generated by our corporate
private CA. Our gateway firewall blocks all access to the port
assigned to Webmin.  One has to tunnel in to one of the pre-determined
host addresses to obtain remote access.

A separate webmin logon is set in the webmin configuration which has
no existence on the host system.

Webmin can also be configured to restrict the hours and day that
asccess is allowed to specific users but we have not bothered with
that.

The main known weakness is Webmin's dependency on passwords which for
all I know is due to my ignorance.  If Webmin does support RSA
certificate authentication then I would love to be told where it is
configured.  However,failing that, very long phase phrases mitigate
the password issue somewhat. Further, Webmin does support two-factor
authentication using Google or Authy.

To my knowledge there are no CVEs reported for Webmin since 2015 and I
believe that all known problems are resolved in the present release. 
Which is not to say that there are no exploits left to be uncovered
but then again we can hardly claim that about any software.


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux