3.2. Webmin Configuration

3.2.1. IP Access Control

Webmin has its own web server, called miniserv.pl, which provides a simple IP access control feature. This page allows you to configure this option. You may enter IP networks (such as 192.168.1.0), IP host addresses (such as 192.168.1.79), and hostnames (such as joesbox.penguinfeet.org). It's wise to limit access to the Webmin server to just those addresses that are trusted. While Webmin has no known exploits, if someone were to obtain your password, this would provide some level of protection from unauthorized access.

3.2.2. Port and Address

The Webmin server will, by default, listen on every active IP address on the system. But if you have multiple addresses and would prefer Webmin to only listen on one of them, you may use this option. So, for example, if you have a local network and a remote network, you could improve security by causing Webmin to only listen on the local network. Then any requests from the internet at large would be ignored, but you could still log on from local computers.

3.2.3. Logging

As mentioned earlier, Webmin provides very flexible logging features. With these features, you can very easily monitor what actions those users with adminstrator privileges are performing on the server. It is also possible to log actions based on the module where the actions are performed. The option Log resolved hostnames will cause Webmin to provide a hostname rather than just an IP address for the client computer that performed an action. And Clear logfiles every...hours causes Webmin to rotate its own logs and keep them from overfilling the disk with old logs.

3.2.4. Proxy Servers

Webmin provides several tools that must connect to the internet to operate correctly. These include the Webmin Update feature, the Software Packages module, and more. If your local network uses a proxy to access Web or FTP sites on the internet, you may configure those settings here.

3.2.5. User Interface

The Webmin user interface is configurable in a number of ways. In this module you may configure the colors of your Webmin pages. The colors are expected to be in standard hex triplets, as used in HTML markup on the internet. You may also choose to use the standard fonts of your browser to display page titles, rather than the font provided by the theme you are using. Finally, you may configure where on the page Webmin will display the login name and hostname of the server.

3.2.6. Webmin Modules

As we've mentioned, one of the best things about Webmin is that it is completely modular. Every server daemon, every system feature, every Webmin feature, has its own module that connects to the core Webmin libraries and answers to the Webmin miniserv.pl webserver. Because of the elaborate, but still easily comprehensible, modular framework that Webmin provides, it is very easy to write full featured modules that integrate seemlessly into Webmin and your operating system.

3.2.6.1. Install Module

From this page, you can install new modules, either from a local file, an uploaded file, or a file downloaded from an ftp or http site. Webmin module packages are simply tar files, that contain the complete directory structure of the module. These modules end in the suffix .wbm.

A great resource for Webmin modules is the Third Party Modules for Webmin page, run by Richard Teachout. Richard is a long time fan and supporter of Webmin, and a regular contributor to the Webmin dicussion lists. After spending some time on the list, he perceived a need for a comprehensive resource for modules that work with Webmin. At the time of this writing, there are over 100 modules listed at his site, though it should be mentioned that the site also lists the modules included in the standard distribution. If you've written a Webmin module, you should post it to this site, so others will be able to easily find and benefit from your efforts. It's also a great place to find example code for starting you on writing your own modules (in addition to the standard modules, of course!).

3.2.6.2. Clone Module

The Clone Module feature provides a stunning amount of power and flexibility for administrators who must provide limited administration access to several people on the same machine. If, for example, you have two different Apache configurations running on your system, you could clone the Apache module to allow different users to access the different Apache configurations.

While this feature does allow interesting and powerful options for multiple users configuring similar services, Webmin should not yet be viewed as an ideal tool for administering a virtual hosting server, where many users configure the Apache virtual servers, Sendmail aliases, and DNS entries. There is a commercial module written by Tim Niemueller, which provides many of these features, and there are also other non-Webmin web-based administration tools that provide this functionality. Also, I have begun public development of a free module to perform these functions. The project is called mojo and is now hosted on SourceForge, at http://mojo.sourceforge.net.

3.2.7. Operating System

Here you select the operating system that Webmin treats your system as. If your system has Webmin pre-installed, you usually will not need to concern yourself with this. But if you upgrade your system, and the new version moves some configuration files to new locations, updating this may be necessary. On this page you may also set the search path for both programs (like system commands), and for libraries (such as for the password encryption library). Again, these options rarely need to be changed unless you have installed system tools and configuration files in odd locations on your system.

3.2.8. Language

Webmin supports a large number of languages for titles and module text. This page allows you to choose the language of your Webmin. New languages are being added regularly. Users of languages that are not supported, are encouraged to write a translation and send it to the author of Webmin. He's always happy to receive new translations, and users are always happy to find that their native language is one that is provided with the distribution.

3.2.9. Index Page Options

This page allows you to configure the layout of the Webmin index pages. You may choose the number of icons to display per row using the Number of Columns field. The Categorize modules? selects whether modules will be grouped under category tabs based on the type of function they perform. The Default category is the category that will be displayed when first logging into Webmin. An alternative header can be used by selecting the Use alternative header option, which provides a somewhat different appearence by placing the host information on the upper right side of the display rather than below the Webmin title. Finally, selecting Go direct to module if user only has one? will cause a user to see only the module they have access to, rather than the Webmin index page when logging in.

3.2.10. Upgrade Webmin

Using this page, you may upgrade your Webmin to the latest version automatically from the Webmin home page, or from a local or uploaded file. This module will use a package management system to perform the update if one is available on your system. If, for example, you have an RPM based system like Caldera, Red Hat, or Mandrake, this feature will upgrade from an RPM package (it even knows how to find the correct package type for your system on the Webmin homepage!).

3.2.11. Authentication

Webmin provides some nice features for preventing brute force password cracking attacks on your server, as well as protection against "forgetful users". If your Webmin server is widely accessible, and provides service to many users, it is probably wise to make use of these features to maximise the security of your system. Security policy in your company may even require usage of some or all of these features.

Password timeouts provide a means to prevent brute force password attacks by limiting the frequency of login attempts by a given user. If enabled, Webmin will block hosts that have a given number of failed login attempts. The time to block the host is configurable in seconds. Webmin will expand the delay on continuing failed login attempts from the same host. Logging of blocked logins can also be enabled.

Session authentication provides a means of logging users out after a specified time of inactivity. This can help prevent unauthorized users from accessing the server by simply using the computer of someone who does have access. This isn't fullproof, as many browsers now have password management features and authorized users may store their passwords on the local computer, making them accessible to anyone with access to the computer. If security is a concern, you should strongly discourage users from saving login information for the server on their local machine, as well as discouraging leaving open browser sessions when away from their desk or office.

Finally, you may choose to allow logins from users on the same machine where Webmin is running based on the username. This feature should only be used for single user machines, where security is not a major concern. If enabled, anyone with access to the local machine will easily be able to gain root access to your system.

As any complete system administration tool must, the Webmin web server runs with root privileges. Security should always be a first priority for any publically accessible Webmin-enabled system. A weak security policy is an invitation for disaster.

3.2.12. Reassign Modules

As mentioned earlier, Webmin categorizes modules based on the function they perform, by default. This page provides a simple means for moving modules to new categories, if you find the default categorization is confusing to you. Some third party modules, written before the categorization features were added to Webmin, are miscategorized into the Others category by default, so you may wish to manually move them to their more sensible locations using this module.

3.2.13. Edit Categories

It may also be most sensible to create a new category for your favorite modules, or custom modules written just for your organization. This page allows you to create new module categories, as well as rename or relabel old ones.

3.2.14. Webmin Themes

One of the more recent additions to the Webmin feature set is that of themability. Themes in Webmin are very flexible, allowing a theme developer to modify nearly every single aspect of the appearence and layout of the Webmin pages. For example, in the screenshots throughout this guide, you may have noticed that the icons and titles are not the same as the standard Webmin appearence. These screenshots were taken on a Webmin using the Swell Technology theme, which is a custom theme designed by the author of this book with some help and pointers from Youngjin Hahn (aka Artwiz of Themes.org fame), and Charity Baessell (the webmistress and designer here at Swell Technology and at the Swell Press).

For information on making your own themes for Webmin, you can consult the Creating Themes section of the Webmin module developers guide.

Switching amongst installed themes is simply a matter of selecting the preferred theme, and then clicking the Change button. Installing a new theme requires you to choose the location of the file (Webmin themes have a suffix of .wbt), and then clicking Install Theme. Changing themes will require a forced refresh of your browser display in order for all new icons and title images to be displayed because browsers often cache images and pages.

3.2.15. Trusted Referers

Because Webmin is web based, it is accessed from your browser. Browsers often store authentication information and will automatically resend it on demand from the Webmin server. Because of this, it could be possible for remote web sites to trigger dangerous actions on your Webmin server (assuming the web site owner has malicious intentions--it would not happen accidentally!). This page allows you to configure which hosts may refer to actions on your Webmin server.

3.2.16. SSL Encryption

If your system has the OpenSSL libraries installed, as well as the Net::SSLeay Perl module, you will be able to use SSL encrypted connections to your Webmin server. This increases the security of your server by allowing password and user information to be sent in an encrypted form. If you will be accessing your Webmin server from across the internet, it is strongly suggested that you use SSL encrypted sessions. Now that both the export restrictions on encryption have been relaxed and the RSA patent has expired, it is becoming more common for Linux and Unix versions to always ship with the necessary libraries and Perl module for this to be enabled out of the box. But if you do need some help setting this option up, there is a nice tutorial on the Using SSL With Webmin page.

3.2.17. Certificate Authority

This page allows you to configure the SSL certificate for this server. Using this, you may configure your system to allow logins without a username and password. If configured, clients may request a personal certificate in the Webmin Users module, and from then on the browser will authenticate itself via the certificate provided. If your users are located in controlled and secured environments, this feature can make using Webmin simpler.

To create a certificate, simply fill in the authority information (this can be any information you'd like to include, such as the name of the administrator of the Webmin server), and click Setup certificate authority.

If using this authentication method, users should be made aware of the potential security issues involved. Anyone who has access to a machine with such a certificate will be able to access the Webmin server with the same privileges as the primary user of the machine. Thus, a security policy should be in place that includes automatic logout from the system after a period of inactivity. Using the logout facilities of Webmin will no longer work, as authentication is automatic every time the user starts a browser session.