leeand00's picture

On my local machine I'm using SSH Local Forwarding to connect to administration applications on my server that are bound only to the local loopback address; they are not bound to any other addresses.  I am also using an SSH Public Key file of 4096 bits.  This way the only port I have to expose inside my network is the port I'm running SSH on. 

This would all work out fine, except that I appear to be unable to do the same with my Webmin interface.  I looked into the configuration for webmin, and externally it appears to run on port 12321 accessible via https; closer inspection of the configurations in /etc reveals that it is run over a stunnel ssl tunnel, and that it is actually running on port 10000 on the local loopback, using the mini-server config. 

However, if I setup an SSH Local Forwarding tunnel on my machine to access webmin on port 10000 and try to login; I have two issues:

  1. I have to access it over plain HTTP
    (Though this is encrypted with the tunnel...so it probably doesn't matter...it needn't be doubly encrypted)
     
  2. When I try to login, I get an error that my browser does not support cookies.
    (My guesss is that since I'm using 127.0.0.1:XXXX to access it using SSH Local Forwarding, there is an issue because the expected domain is not supplied to the cookies)

I'm not sure if webmin is running from Apache or not, but it doesn't look like it is.

Is there any way to change webmin's configuration so that it is possible to hide webmin behind SSH; only binding it to the 127.0.0.1 address?

Thank you,

    leeand00

Forum: 
leeand00's picture

I tried turning off Cookies authentication, but this did not fix the issue it still tries to run over HTTPS, otherwise I think it would work.

 

 

leeand00's picture

 

 

Alright, so if I turn off Cookies Authentication, and then go to:

  1. From the menu click "Webmin->Webmin Configuration"
  2. Click "Web Server Options"
  3. Click "URL format for redirects" and click the "Path only" radio button...and click "Save"

When webmin comes back up, it appears to work correctly using my SSH Local Forwarding to hit the local port.

I also checked the webmin configuration for "Ports and Addresses" and it's set to bind only to 127.0.0.1

Only thing that has me spooked is the "Listen for broadcasts on UDP Port", what does that listen for?

Jeremy Davis's picture

Although I think that it's related to when you have multiple machines all running Webmin and want to cluster them (so they can be controlled en-mass by Webmin). IMO so long as it is bound to localhost it should not cause any issues. If you're concerned about it though, why not turn it off? Also if you're connecting via an SSH trunnel then you might as well remove the stunnel config for webmin as you won't need it. Also Webshell doesn't make much sense if you're SSHing in first anyway... Might as well remove/disable it (and again tweak stunnel too - perhaps you don't need stunnel running then either?)
leeand00's picture

In the stunnel configuration, you can bind it to the local address:


; Note: I bound Stunnel to just 127.0.0.1 so that
; webmin can only be accessed via Local Fowarding
; in an SSH Client using our private key.
;
[webmin]
accept = 127.0.0.1:XXXXX
connect = 127.0.0.1:10000

My reasoning for this has to do with the setting in "Authentication":  "Enable Session Authentication"; in all of the other programs I was looking at they had "session authentication" to provide protection against CSRF attacks.  While I still don't have any verification that webmin 1.76 has this protection (post 1) (post 2) (post 3 is on their mailing list), it sounds alot like it does from the name of the setting; and if I want to run it with Session Authentication Enabled, I must run it through stunnel because if I don't with the setting turned on I end up with an error about my browser not supporting cookies after I login:

 

Jeremy Davis's picture

I was suggesting disabling it as it is not really relevant if Webmin is only available via localhost anyway...

As for CSRF; I don't know how much effort they've put into it or how well it works in the real world but IIRC it does provide some protection by default. I rarely use Webmin myself but I recall that if a Webmin page (other than the login page) is accessed from a non-Webmin page (i.e. not referred by a previous webmin page) then it will throw an error.

Add new comment