Craig White wrote:
> On Fri, 2002-02-22 at 15:09, TXNetwork wrote:
>>Sorry, but everything has been running so smoothly with Webmin that I didn't
>>think it could happen to me...didn't keep Jami's message about how to keep
>>someone from hacking into system through admin or something.
>>Today, found where my etc/fstab file had been altered and the server
>>wouldn't reboot and there was no way to log in as single user. The ISP that
>>runs my server for me finally got in and got the file put back in but he
>>naturally says that it is because I'm using a program like this and leaving
>>myself wide open for hackers.
>>I can't do this without Webmin so...........anyone that kept the
>>instructions, I need the details please.
> webmin is neither the problem nor the solution. It might make things
> easier for a hacker if they were capturing a session and you never
> installed the Net::SSLeay and turned it on but that as I said, is
> neither the problem nor the solution.
> the problem is that you want to be able to remotely adminstrate your
> server which is 'co-located' at a site that is only reachable thru the
> public internet and you haven't the knowledge on how to secure it.
> Only one answer - pay someone to do it for you.
Actually, two answers...the one Craig mentions, and the other, much more
Learn how to secure a Unix machine and do it yourself.
It's more expensive, because a Unix nerd will secure it for you in two
hours for $100-$200 (unless the box has already been rooted, in which
case, the time required to clean up will be huge and you'll need a quite
serious expert--expect to pay $500-$1000 for a proper cleanup). But
learning yourself will take weeks or months, depending on your current
level of knowledge and how much time and effort you devote to the task.
If, as I think you're saying, your box has already been exploited, then
your best bet is to reinstall the OS on the box, update all packages to
the latest errata from your OS vendor, then secure it (not just Webmin),
then put it back into public service. It can usually be fixed without a
reinstall, but take it from someone who has repaired a cracked/rooted
box on several occasions, it isn't easy even for someone who knows what
to look for and how to fix it (and when to say "This can't be
fixed...all reliable methods of tracking the intruder have been wiped
out. Time to reinstall.")
Of course, if you don't learn it yourself, you have to rely on someone
whom you may not know is competent to secure your system--and you'll
have no easy way to know if they've done the job correctly. You'll also
have to hire someone every few months to audit your system, to insure no
exploitable packages are running. It is probably worth the effort to
learn how yourself if you've got a server that your responsible
for...but securing Webmin is just the tip of the iceberg (and Webmin has
no current exploits as far as I know, so it is secure if configured to
use SSL connections).
But, to answer your question (don't think doing this will solve your
problems, it will not! this will only add a little extra security to
Webmin, which was probably not the problem in the first place):
Configure Webmin to only allow logins from the IP addresses from which
you will be logging in.
Configure Webmin to timeout sessions, if you login from a public
computer (even the computer on your desk at the office).
Make sure you have enabled SSL connections.
You may notice that I haven't told you how to do all of this...the
reason being that it is covered in the Webmin book (perhaps the coverage
is brief, but the topics are quite simple and easy to do). Here's the
link to the correct page in the book:
Again...if your box has been rooted, increasing Webmins security now is
the equivelent of closing the barn door after all the animals have
escaped. It is pointless--the box is broken. You've got to fix the box
too, or the cracker will be back inside your box in seconds anytime he
wants to be and he won't need Webmin to do it (I doubt he needed Webmin
to start with--as I mentioned, Webmin has no current exploits).
I have never read either document, but the Linux Documentation Project
has two Security QuickStart HOWTOs, which appear to be well worth
reading. Avoid the 'Securing and Optimizing Red Hat Linux' Guide also
found at the LDP, as it is full of incorrect information and bad
advice...the author means well, but doesn't understand half of the
topics he has attempted to cover. The topics he does understand are
nicely covered, but a new sysadmin isn't going to know how to
differentiate the bad from the good, so it does more harm than good.
So, start here:
Feel free to ask me any specific questions you might have, that you
can't find answers for in those docs or web searches. I don't think
system security issues are on-topic for this list, so probably off-list
questions are a good idea. Another good idea is probably to get
yourself onto the most suitable distribution lists (like Red Hat
Newbies, and Red Hat Security, if you're using a Red Hat box)--these
kinds of topics are very much on topic for those lists, and many users
will be going through the same issues.
Joe Cooper <joe@...>
Web Caching Appliances and Support