Note: I'm not arguing for or against a particular method - just discussing the issue to make sure the pertinent issues are covered.
On Wednesday 09 February 2005 17:36, Niels Voll wrote: > Shawn wrote: > >While Webmin is a decent tool, but you should very carefully consider > > things before making it available to the general public via an External > > connection to the net. I believe most of the security problems have been > > resolved, but if someone happens to guess your password, they can do > > whatever they want to your server/network. > > and the difference to guessing an SSH password would be ... ? Point taken (and alluded to in the paragraph that followed...) > >Granted, if they can get past your authentication you > >probably have bigger problems, but it doesn't make sense to give an > > attacker a nice pretty interface to wreak havoc with. > > > >Webmin is a great tool, best used internally. On the other hand, if you > > can SSH into the network, and then run webmin, that would be a little > > more secure. > > why? Webmin works over the HTTP protocol - which is easy enough to get information from. Even with SSL, only the packets between the host and client are encrypted - except for the initial handshake needed for SSL. (I get the feeling this might be a point I'm about to be corrected on?) With SSH, EVERYTHING is encrypted in all communications between the two boxes involved. The point can be argued either way, I guess. > > >Kin, I think the tool you're after is SSH by itself. > > - if you don't mind command line interface, > - if you already have or don't mind installing SSH client software at > the remote client PuTTY is a only a few kilobytes, doesn't need to be "installed", and doesn't touch the windows registry (I could be wrong on that, but I believe it stores any persistent settings in a file someplace). If you want to use VNC - you have to install client software anyways (well, I guess you could use a web interface, but that's not a win for either side of the discussion - there are web based SSH tools). As for the "command line interface", as I mentioned, this isn't necessarily true. It likely is if you are remoting in from a windows box. But you CAN install the X libraries via Cygwin, and then use the ssh -X trick to run the native graphical management tools on the remote box. (I know this works because I have a very small fluxbox desktop on my laptop, and am able to use it to pull up the KDE apps installed on my destop computer just fine - KDE is NOT installed on the laptop). So, a pure ssh solution that allows a graphical interface is possible (with a bit higher learning curve though - but that's what script/batch files are for). My apologies if I'm wrong, but I think Kin was looking to remotely manage his Linux servers. In that case, EVERYTHING can be done from the command line. If that's not the case, then I'll concede the point - there are some apps that just need the graphical interface in Windows to manage - MS Exchange for instance. > I'd be interested in those resources ... http://www.webmin.com/faq.html - helpful document, but if you read it with a view on security, there are a few points that "could" lead to compromise easier than with SSH - for instance, you don't HAVE to use SSL. They do offer methods to tighten security as well (allowed IP list), but the question is a) if the default configuration is secure enough (for you), and b) if the average person installing webmin knows enough to make/keep it secure. Yep, the same could be said about SSH. Where security is concerned, how paranoid is too paranoid? From a php3 document, so is likely dated... "One thing to be aware of in Webmin is that the username and password are sent unencryted between your browser and the server. You should only use it on a private network, or on your local host." - http://www.linuxnovice.org/main_software.php3?VIEW=VIEW&t_id=84 er.. Caldera is now known as SCO - nuff said? (they've lost MY trust at least) I'm sure it's just an old document though.... :) "Developed independently, Webmin was acquired by Caldera in the first quarter of 2000" - http://linuxbook.orbdesigns.com/ch13/btlb_c13.html > Maybe you're right, but I'd be interested, what might explain the > popularity of default password attacks into numerous default user-ids > (those required by various server software) via SSH (as > observed/discussed on this list a few times)? As a result I have > disabled SSH access to my servers. I personally don't like the idea that > some server software I may install just might create a default > userid/password combination, which I have to hunt down and change before > someone else uses it. Yep, SSH could be setup badly, and present as big a security hole as a badly set up web server. I think this is one of those discussions where the "right" answer is highly subjective and is only really pertinent to the system in question (in this case, Kin's servers/workstations, and his comfort level with the tools available). For me, using a web interface to manage my network just seems wrong, and asking for trouble - but that's only opinion/intuition based on my experiences. Shawn _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
