John Zoetebier wrote:

> Somehow Webmin 1.090 refuses to run under HTTP.
> It wants to run under HTTPS only.
> This is a lot slower than HTTP. I gues up to 5 times slower.
> Is there a way I can force it back to run under HTTP ?
>

Yes, Under the Webmin configuration. But since you are sending root
passwords over your local network, I strongly, strongly urge you to
switch the default port to 1000 instead of 10000, and to use HTTPS if
you're in a remotely public environment. That, or restrict it to access
only from localhost and run your web browsers only on the server with
webmin on them.

If you wouldn't trust rsh and bare telnet to handle your local root
password, you shouldn't trust webmin to handle your local root
passwords, either.

In article <O5gLa.27112$Kg7.11722@nwrdny01.gnilink.net>, Nico Kadel-Garcia
wrote:

> Yes, Under the Webmin configuration. But since you are sending root
> passwords over your local network, I strongly, strongly urge you to
> switch the default port to 1000 instead of 10000, and to use HTTPS if

I always run Webmin and Usermin using https, but why the port change? I'm
interested because I have the Usermin port (but not Webmin) open to the
world.

--
Juha Siltala

Juha Kustaa Siltala wrote:

> In article <O5gLa.27112$Kg7.11722@nwrdny01.gnilink.net>, Nico Kadel-Garcia
> wrote:
>
>
>>Yes, Under the Webmin configuration. But since you are sending root
>>passwords over your local network, I strongly, strongly urge you to
>>switch the default port to 1000 instead of 10000, and to use HTTPS if
>
>
> I always run Webmin and Usermin using https, but why the port change? I'm
> interested because I have the Usermin port (but not Webmin) open to the
> world.

Users can typicall open ports above 1024 themselves without special
privileges, and many firewalls don't block ports above 1024. (It takes a
stateful firewall to really block those properly, and those aren't that
common yet!)

So keeping it at 1000 restricts the startup of webmin to the root user,
and makes the casual setup of password sniffing fake webmin sites much
less likely. It also helps keep casual scans from detecting the presence
of your webmin server if you are exposed to the outside world,
deliberately or by accident.

I suspect the webmin authors used 10000 because it could, in fact, be
setup to allow access past most casual firewall installations, but I'd
have to ask them to be sure. Also, the ports less than 1024 are getting
a bit crowded with registered services....

In article <h7iLa.2177$oF.1867@nwrdny03.gnilink.net>, Nico Kadel-Garcia wrote:
> Juha Kustaa Siltala wrote:
>> I always run Webmin and Usermin using https, but why the port change? I'm
>> interested because I have the Usermin port (but not Webmin) open to the
>> world.
>
> Users can typicall open ports above 1024 themselves without special
> privileges, and many firewalls don't block ports above 1024. (It takes a
> stateful firewall to really block those properly, and those aren't that
> common yet!)

You mean iptables doesn't block ports > 1024? I've opened ssh, imaps and
Usermin. I did it with Bastille, shutting down everything and opening
these ports only.

Security Space's scan finds only ssh and imaps so I guess they
don't check the upper ports. Their nmap service didn't find anything
either. I'm not worried about local users (two: me and the Lady).

I guess I could change the ports anyway, it's not that much trouble after
all.

--
Juha Siltala

Juha Kustaa Siltala wrote:

> In article <h7iLa.2177$oF.1867@nwrdny03.gnilink.net>, Nico Kadel-Garcia wrote:
>
>>Juha Kustaa Siltala wrote:
>>
>>>I always run Webmin and Usermin using https, but why the port change? I'm
>>>interested because I have the Usermin port (but not Webmin) open to the
>>>world.
>>
>>Users can typicall open ports above 1024 themselves without special
>>privileges, and many firewalls don't block ports above 1024. (It takes a
>>stateful firewall to really block those properly, and those aren't that
>>common yet!)
>
>
> You mean iptables doesn't block ports > 1024? I've opened ssh, imaps and
> Usermin. I did it with Bastille, shutting down everything and opening
> these ports only.

Good job. Not everyone does their firewalls on the Linux box itself:
setting up NFS and NIS for iptables, for example, is a bit of an
adventure. Many facilities use the hard cruncy outer shell, soft chewy
underbelly approach of not running any filter software on their local
boxes and running an external firewall.

We won't analyze what I think of this in production use, but it does
ease configuration and lighten the CPU load....

> Security Space's scan finds only ssh and imaps so I guess they
> don't check the upper ports. Their nmap service didn't find anything
> either. I'm not worried about local users (two: me and the Lady).
>
> I guess I could change the ports anyway, it's not that much trouble after
> all.

Scanners only scan what they know about, scanning every port known would
take much, much longer. (Say 1-1024 vs. 1-65536).

On Sat, 28 Jun 2003 12:45:34 GMT, Nico Kadel-Garcia <nkadel@verizon.net>
wrote:

> John Zoetebier wrote:
>
>> Somehow Webmin 1.090 refuses to run under HTTP.
>> It wants to run under HTTPS only.
>> This is a lot slower than HTTP. I gues up to 5 times slower.
>> Is there a way I can force it back to run under HTTP ?
>>
>
> Yes, Under the Webmin configuration. But since you are sending root
> passwords over your local network, I strongly, strongly urge you to
> switch the default port to 1000 instead of 10000, and to use HTTPS if
> you're in a remotely public environment. That, or restrict it to access
> only from localhost and run your web browsers only on the server with
> webmin on them.

I do not use Webmin via the Internet.
Nico, why port 1000 ?

--
John Zoetebier
Web site: http://www.transparent.co.nz

John Zoetebier wrote:

> I do not use Webmin via the Internet.
> Nico, why port 1000 ?
>

Ah, I see you have already given an explanation elsewhere.

--
John Zoetebier
Transparent Systems