Woes of Webmin
My name is Andrew Williams, and I used to be a Webmin user.
During the last year or so, I’ve used Webmin and Virtualmin to manage my VPS hosting. For those who don’t know, Webmin is a web based server management console built on Perl, it allows each service to be managed by the use of modules, which you can install/uninstall to create a customised interface for your machine. With the addition of Virtualmin, the Webmin interface becomes a virtual hosting console much the same as Plesk or CPanel.
Webmin has a murky past, several high profile exploits existed for the system and it’s been advised for the last 10 years or so not to install it unless you really need to. Giving world access to Webmin was generally advised as stupid and silly. While Webmin is now up to date with it’s security it still leaves a bitter taste in the mouth of the administrator world and people who use it are usually noted as “newbies”.
I originally went with Webmin/Virtualmin as I was still hosting the few remaining customers of Blueshift Media. While I have the technical skills to work without it, the customers didn’t. The system gave a simple interface for the users and allowed them to add in basic stuff like new email addresses and aliases. To work around the security issue I only allowed access via SSH and port tunnelling, that way the user would have to be authenticated with the server before accessing the system.
Over the next year or two I started using Webmin to do my daily administration tasks, as working outside of Webmin once it’s installed can open you to a world of pain, Webmin keeps track of some configuration in it’s internal database, not in the external configuration files. Over time I become comfortable with the system and my technical skills slowly slip away from me, why do I need to know the in and outs of a program if Webmin can do it all for me?
Today, I learnt the hard way. I had a issue with Postfix content filters and I spent 10 minutes faffing in the Webmin console only for it to be a five second fix in the main.cf file. In a further similar fault I had to read up on Postfix Virtual file format as I’ve totally forgot how it’s supposed to be formatted, somehow the file had got munged and I had to reconstruct what I could.
Then it clicked.
Since I’ve installed Webmin I have been wrapped up in cotton wool, not actually touching the underlying the system and just using this fluffy interface to do my work. This is all well and good in the desktop world but in the server world your risking security and your knowledge of the underlying system.
So, today, I’ve officially removed Webmin, and I’ll never to return again. It’s time to actually learn my trade again and start using the distributions as they’re meant to be.
Good post. I see, and agree with, your point completely. But what do you do for clients if not Webmin or the like? They likely do not want to spend a lot of time with vim and config files. Are you just going to handle every request for a change?
fhsm
21 Apr 09 at 12:50 pm
As I mentioned, it is only a “few” customers. When I moved to Webmin I did have 5-6 customers, now it’s just two. Luckly the ones that remain are so low maintance that I don’t really have to worry about them. The only issues they’ve had in the last few years is getting their email.
Andrew Williams
21 Apr 09 at 12:53 pm
I *really* hate Webmin, the user interface is horrible and as you said it takes over the entire server. I do want something which allows me to manage hosting though, even if that means not remembering all the fancy configuration details, as it can be a nice extra bit of money on the side. Unfortunately there doesn’t seem to be a half-decent open source solution available at the moment.
pwaring
21 Apr 09 at 5:24 pm
I’d like to point out that Webmin has not had a serious exploit on Linux in over five years, and overall it has a security history roughly on par with OpenSSH and other highly secure services that run as root. Security has never been a major weakness of Webmin despite frequent assertions to the contrary. The security history of Webmin and Usermin is public and easily available on the Webmin.com website (http://webmin.com/security.html). It has an excellent security record for software that runs as root (so it is an extremely ripe target for attackers, just like ssh), has been around for over 11 years (so attackers have had a long time to look for exploits), and is downloaded over 2 million times per year (so there are a lot of installations).
“Webmin keeps track of some configuration in it’s internal database, not in the external configuration files.”
This is simply not true. Webmin goes to great lengths to operate directly on the configuration files, and in the ways your OS chooses. Virtualmin does have a small amount of meta-data, but it is related to the connections between various services, not the actual services themselves. When you change httpd.conf or named.conf, that change will be reflected in Webmin immediately. And, when you make a change outside of Webmin, it will not be removed by Webmin the next time you do something in Webmin. Webmin parses the configuration file every time it makes a change. It respects file order, comments, and does not break directives it does not yet understand.
There are many good reasons for preferring to work from the command line sometimes, but not because Webmin does the things you’ve accused it of, or because it is insecure. I work from the command line very frequently, but I also like to have Webmin handy for when I don’t want to look up the correct syntax or directive name in named.conf or httpd.conf.
And, unlike pwaring’s assertion, Webmin definitely does not take over the whole server. It is the most polite software on the planet in its space. No commercial product comes close to being as respectful of your system. I’d actually like to know what you do hate about it…since it can’t be that it takes over the system, because it simply doesn’t, and it’s very easy to demonstrate that it doesn’t (shutting it down or uninstalling it is entirely harmless to the rest of your services, for example…and when you start it back up after having made a bunch of changes to those services, Webmin will continue to operate just fine).
If you have problems with making Webmin or Virtualmin work the way you want, please feel free to let us know over on the Virtualmin.com forums. We’re always happy to help.
I’ll also humbly point out that Webmin is Open Source software. If you think there are areas where Webmin should work or look better, patches are generally welcome.
Joe
22 Apr 09 at 9:14 am
Actually, I should amend that. There was an arbitrary file access issue three years ago, which I would definitely consider serious. It wasn’t a root-level exploit, by any means, but it could definitely have been used for mischief. Nonetheless, the overall security record of Webmin is excellent.
Joe
22 Apr 09 at 9:22 am
Joe,
Thank you for your input! It’s always nice to hear from the horses’ mouth, so to speak. My post really isn’t about finger pointing, it’s more about skill rot. Webmin has its area which it fulfils very well, but for the more experienced admin it feels like Webmin meddles in your affairs.
I do revoke the part regarding the security issues, three years is a good record and something to note, unfortunately it seems i’ve also jumped to conclusions and blamed Webmin based on old information.
Anyway, Thanks again.
Andrew Williams
23 Apr 09 at 9:09 am
The last time I used Webmin, which was probably 8-12 months ago, I had to set up a new VM to run it under as it wouldn’t play ball with my existing configuration – I certainly couldn’t just install it on my VM which was already running Bind, MySQL, Postfix etc. and have it “just work”.
If Webmin/Virtualmin/Usermin have improved since then I’ll be more than happy to run them, as I need to be able to offer shared hosting with a user interface that ordinary people can use. I genuinely want something which will manage configuration files graphically and allow me to delegate tasks like creating new email accounts.
pwaring
25 Apr 09 at 1:44 pm
Hello
Here I am reconsidering using webmin again in 2010 and looking for a secure way to implement it for a variety of server and config management tasks for apache/virtualhosts, php, mysql, bind, mail.
It’s been almost 7 years after I got one of my web hosting server hacked and abused (they installed a warez mirror) because I had left webmin opened. Our firewall went down for some 24 hours while we were moving to a new datacenter, that is all it took…
So Webmin being the most expensive tool of its kind I have ever paid for (2.5k$ bill for bandwidth usage I received) , I am reconsidering using it because it was doing the job quite well.
Taking in consideration some previous posts and other material , the webmin could be securely deployed as follows:
- Install from source, validate checksum.
- Configure not to use root user.
- Use SSL and reconfigure the listening port
- Use SSH / port tunneling to securely provide access to the webmin , run webmin listening only on 127.0.0.1
- implement host based firewall rules blocking access to all and allowing access only to specific IP addresses.
- implement firewall rules on the northbound firewall specifically blocking access to the webmin ip/ports. Allow access only from a vpn segment.
- allow only a restricted group of users to connect to webmin
I am looking for opinions or feedback from everyone using it, specially admins out there actually using it to manage over 50 servers.
Cheers!
Fernando.
Fernando
5 Jun 10 at 10:14 pm