I'm using Virtualmin 4.04 on CentOS 6.5 on my servers. My main servers has several scheduled backups setup. When I create new backups, the password for the FTP servers is replaced with **, all looks great. But today I did find all my login info to my backups servers in clear text in /var/webmin/webmin.log.** When I setup Virtualmin I always use the "hashed password" setting, but still, in the webmin.log all login info (ftp server:password@username) is clear as daylight.
This can't be good? If anybody get access to my server and my logs, they can get all the important login info to my backup servers.
I have now created a script and a cron job deleting /var/webmin/webmin.log every minute.
But are I'm missing some important settings or something in Virtualmin/webmin allowing the FTP info for my backup servers to be written i clear text in the logfile?
Here is two pictures showing the issue:
Here do I setup a scheduled backup in Virtualmin ( http://myhken.info/div/020214webmin1.jpg )
Here you can see in my /var/webmin/webmin.log that my logon info to my FTP server is in clear text. ( http://myhken.info/div/020214webmin2.jpg )
And here can you see that other passwords when I create a Virtualmin user is hashed, so the hashed password function do work and is activated:
( http://myhken.info/div/020214webmin3.jpg )
i am guessing that your actual backup is also logged into as plain text. you should check that at the bu server log. it also appears that password@user is not the correct syntax, that perhaps you have an entry error bc it is always user@somewhere. meanwhile just do not write the log item.