a b wrote:
A friend is looking to remotely administer a UNIX box from anywhere in
the world. Webmin attracts him, but I'm not over keen on the idea of
having a program like that which runs as root open to the whole world.
It must be quite atractive to hackers if they find webmin running.
After thinking about it, I had this idea; How about making a stealth
firewall with ipfilter, that ignores all attempts to connect. The
firewall logs denied packets to a log file. The log file is parsed by
a program which will open the port used by webmin (say 54321) if and
only if:
a) Someone tries to connect to port 1000
b) From the same IP next tried to connect to port 13233
c) From the same IP next tries to connect to port 3244
(or any other random combination of ports). Then and only then the
firewall is opened to the port with webmin running (54321).
So in order to access webmin, you would from your browser try:
http://www.somsite.com:1000 // ignored
http://www.somsite.com:13233 //ignored
http://www.somsite.com:3244 // now causes port 54321 to be opened
<snip>
Thoughts?
It's not a bad idea, however I really recommend against the webmin part.
I don't like the webmin idea myself either. But my friend wants a GUI,
as his knowledge of UNIX is not that much.
Standard practice in such situations has been to connect the servers to
an RSM or a CMS, reconfigure them to use ttya for console I/O, and
configure the FW to allow SSH on an arbitrary port on the FW. With the
RSM/ALOM/CMS solution, you get the critical functionality of being able
to stop, start and troubleshoot the remote hosts as if you were
physically present on the console.
Of course, how exactly one solves the SSH access is left to one's
imagination... sky is the limit.
Having console access for me is quite important, as I'm going to the one
to debug it. We were thinking of using another Sun, configured with ssh
and not much else, to give that.
--
David Kirkby,
G8WRB
Please check out http://www.g8wrb.org/
of if you live in Essex http://www.southminster-branch-line.org.uk/
