[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 23 Jan 2002 22:35:29 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Brandon,
> I removed WebMin for this reason. However, it seems like it'd be an
> excellent backup should SSH ever fail or be unavailable for whatever
> reason.
I've had that only once so far. In that case I simply reinstalled the SSH-PKG
through the Cobalt GUI and had it up and accessible again. However, I would
have used the Admin GUI to temporary re-enabled Telnet for that purpose had I
not had a static ipchains rule in place which prevented Telnet from working.
> How could you go about (safely) creating a HTML page, accessable
> via SSL, that once you supplied the proper credentials, could fire up the
> WebMin application? Effectively, allowing one to trigger the process at
> will? Your thoughts?
That's a possibility, but just one of 'em. If I'd implement it that way
(if!), then I'd use a small PERL or PHP script with the "exec" command which
would execute "/etc/webmin/start". However, the webmin start stcript can only
be run by the user "root" and not unprivileged users like "httpd" (as which
apache runs) or site users (under whose name scripts usually run). So this
certainly will not work without the "sudo" command which I'd never ever use
in combination with a PERL or PHP script - for security reasons. It would be
too easy for a remote (and easier for a local) user to find ways to exploit
this setup.
So while the above way is doable, it's an approach I do not recommend.
What else could be done? I'm sure other people on this list have some nice
suggestions as well, but from the top of my head I could imagine the
following approaches:
Put an ipchains rule in place which will allow only TCP connections to your
Webmin port. Obscure the port by not using 10000 but use another port
instead. Configure Webmin to react only to queries from a specific IP-address
or IP-address ranges as well. This combination of efforts lowers the threat
somewhat, but not totally.
Another option, derived from the earlier discussion: Use the above methods,
but as addition launch a small shell script from /etc/rc.d/rc.local which
issues a shutdown of Webmin a few minutes after the server rebooted. That way
you have Webmin accessible for a few minutes after each server reboot.
With some additional scripting logic you could issue the shutdown of Webmin
at once if "netstat -anp|grep LISTEN" reports that port 22 is there and SSH
is running. Or prevent Webmin from running if SSH is working. Whatever fits
your purposes best.
The perhaps smartest way (and the one which requires the most efforts) is
this: Make Webmin totally inaccessible to the outside world with IPChains and
let it run only locally on the IP 127.0.0.1, port 10000. Then use stunnel
(see: www.stunnel.org) to establish a secure (forwarding) connection from a
local Linux machine in your office to 127.0.0.1:10000 on your server. This
requires some tinkering, but sounds like a nice and rather secure alternative.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer