Hacked systems and the law

[Dustin Decker]

On Tue, 22 Apr 2003, Jonathan Hutchins wrote:

> I thought webmin was inherently insecure.  Wouldn't you feel better having 
> direct, secure control over the config files? 

Webmin is like any other control applet - it can be made very insecure 
very easily.  Out of the box, if you have OpenSSL available at install 
time, you can make use of it.

Were I to make a suggestion, I would assign it to a port other than the 
default 10000, and perhaps go so far as to assign it to an aliased nic, 
such as eth0:1 and bind a separate IP for that function.  Then use ssh, 
port forward to it post authentication, and wind up with an additional 
layer of separation.  

I guess what I mean is I don't think I'd put webmin directly on the
Internet if I had alternatives.

I use webmin from time to time - but my definition of "use" is in that I 
will set it up for a client who knows nothing about a system they've 
purchased from me so they can admin those things they need to be concerned 
about, and not call (and needlessly pay) me to make _simple_ changes.  If 
I'm doing the changes, I prefer to do them by hand.  One certainly runs 
the risk of winding up in total "click and drool" territory if they rely 
solely on the gui to get things done.

Dustin

-- 
o-----------------------------------o
| Dustin Decker - CNA, MCP          |
| dustin at dustindecker.com       o-------------------------------------o
| Network Engineer              | "One Architecture, One OS" also     |
| Preferred Physicians Group    |  translates as "One Egg,            |
o-------------------------------|  One Basket."                       |
                                o-------------------------------------o