Webmin 1.620 BEAST attack

  • Dave Bateson
    Dave Bateson


    im having problems with getting my server past a pci compliance vulnerability scan. when i scan the server it complains that the webmin port im using is open to BEAST attacks.

    ive upgraded webmin to 1.620, disabled ssl compression (which according to the change log should fix BEAST vulnerability) and set ssl ciphers to 'Only strong PCI-compliant ciphers' but it still fails the scan due to BEAST vulnerability on the webmin port. this is the only thing that the server is failing on.
    does anyone know if theres something else i need to do or have a missed something?

    im totally stuck so any help would be appreciated.


  • Richard Mott
    Richard Mott

    I presume you want to run Webmin from a remote PC? Does the pci scan allow you an ssh port? If so you could try this. First configure Webmin so that it is only available from (localhost). Then, on your remote PC, run ssh to create a tunnel and use port forwarding. It is best, maybe necessary for pci, to use ssh authentication with a key file rather than user/password. On the server Webmin sees only a localhost connection, so you can leave the webmin port closed in your firewall. I do this on a Windows PC using PuTTY and it is easy.
    Good luck.