#4302 security issue: webmin configuration -> Ports and Addresses

1.650
closed-fixed
nobody
5
2014-10-30
2013-10-03
johann
No

these are my settings:

IP addresses and ports
Listen on IPs and ports
Bind to IP address [IP is entered] Listen on port [port is entered]

Open new ports on firewall? [checked]
Accept IPv6 connections? ['No' is selected]
Listen for broadcasts on UDP port [port is selected]
Web server hostname ['Work out from browser' is selected]
Reverse-resolve connected IP address? ['Yes' is selected]

this is what i get:

`>>>>>     All Connections/Listeners     <<<<<`
`Proto    Local Address               Remote Address    Status    PID/Program name`
`tcp      0 0.0.0.0:[selected port]   0.0.0.0:*         LISTEN    3522/perl`
`udp      0 0.0.0.0:[selected port]   0.0.0.0:*         LISTEN    3522/perl`

salient points:
1.) obviously, the IPv4 binding that is set is not working;
2.) the TCP port that is entered is established solely for webmin and is working;
3.) the IPv6 exclusion is working;
4.) the port opening on the firewall is not working. and
5.) i am not at all certain why/how UDP is used in webmin, but it is allowed nonetheless and working.

it is easy enough for me to control access via iptables since i want only one (1) IP used and the port selected is webmin-dedicated. however, this is a needless, extra manual step that would be obviated if the webmin configuration actually worked as it seems to be intended.

one further IP-port-related item: webmin seems to always open unique connections for every little step it executes. this is not really a problem for modern systems, but it does seem that connection-reuse might be worth addressing. to wit, today when i was looking at the config binding module and a couple of other things i ran my connection analysis script (webmin output, supra). there i saw that webmin had open a total of 27 connections. of course, these are only the ones that had not timed out before i checked.

--
thank you,

johann

Discussion

  • Jamie Cameron
    Jamie Cameron
    2013-10-04

    What command are you using to show the IPs and ports in use? In my tests, selecting "Only address" and entering an IP in the next field does correctly bind Webmin to that IP.

    FYI, the UDP port is used to find other Webmin servers on the same LAN. You can disable this with the "Listen for broadcasts on UDP port" field.

     
  • johann
    johann
    2013-10-04

    yes, i am using "Only address" as well. in the script i am using:
    command: 'netstat -aplntu'
    bash: '4.1.2(1)'
    linux: '2.6.32-358.18.1' x86_64

    thank you for the UDP info. where i have several related servers on a LAN, i have yet to explore your clustering business.

     
  • Jamie Cameron
    Jamie Cameron
    2013-10-04

    Can you test which IP Webmin is actually listening on by trying to connect using a different IP on your system? Ie. with "telnet localhost 10000"

     
  • johann
    johann
    2013-10-05

    all IP's

     
  • Jamie Cameron
    Jamie Cameron
    2013-10-05

    Is that the only row you have entered in the "Listen on IPs and ports" table?

     
  • johann
    johann
    2013-10-05

    yes.

     
  • johann
    johann
    2013-10-05

    more info:

    when there are multiple IP's on the WAN (and webmin is set to listen to only a single IP), the listening gets set to ALL IP's on ALL interfaces: LAN and WAN. if there is only a single IP on the WAN, then webmin actually only listens on the single IP (not 0.0.0.0) on the WAN (as is set in webmin) and does not listen on the LAN.

     
  • johann
    johann
    2013-10-05

    even better info:

    a while ago i re-arranged the IP's to keep related servers in IP sequence. a meaningless exercise, but it makes it easier to remember. when i did this, i did change the webmin listen-to addr. somehow this did not take and there is still a hold-over buried in webmin that has not changed. unfortunately, i did not look closely at the IP that was set to realize that it was still the old IP. just now i picked up on the fact that the old IP's are being retained in webmin somehow.

    taking one server with multiple WAN IP's: to wit (sys info page),
    System hostname xxx.yyy.us (a.b.c.129)
    this is the old primary IP. the new primary IP is a.e.f.129 for xxx.yyy.us as would be garnered from DNS. however, i had changed the addr to a.e.f.130 which is a non-primary, non-DNS IP on the WAN that i secluded a couple servers on ... including webmin, i thought.

    apparently, since the listen-to change did not take and a.b.c.129 is dead now, webmin had to do something and it just ignores the listen-to and goes all out as we have seen.

    i am sorry that i did not catch the IP difference, but the old/new numbers are so close that it did not register and, of course, the number i saw was very familiar to me sub-consciously.

    i guess that the only way webmin can guard against this stupidity by the client is to actually try a connection to itself over the entered IP (or a localized solution if webmin was on a different IP) before the IP can be saved.

     
    Last edit: johann 2013-10-05
  • Jamie Cameron
    Jamie Cameron
    2013-10-06

    It's possible that Webmin isn't starting up on the new IP, in which case it will fall back to listening on all IPs. You can verify this by SSHing in as root and running :

    /etc/webmin/stop
    /etc/webmin/start

    and seeing if any errors are output.

     
  • johann
    johann
    2013-10-06

    in all cases where the old IP was being called out, i previously have restarted webmin from the web IF, restarted the n/w, re-booted the entire server, et cetera. in none of these cases were any errors thrown or i would have been alerted to the fact that something was amiss. this, naturally, is not how you must want things to execute.

    now that i realize that this error can un-noticably occur, i have checked all the multi-IP servers and made certain that the right addr is being called out. when the IP is actually in the server's config, webmin does select the solely-assigned IP as was intended.

     
  • Jamie Cameron
    Jamie Cameron
    2013-10-06

    • status: open --> closed-fixed
     
  • Jamie Cameron
    Jamie Cameron
    2013-10-06

    I'll add validation to prevent this situation in the 1.670 Webmin release.