Subject: Re: Administer Web Servers - msg#00258

Previous Message by Date: click to view message preview

Re: Administer Web Servers

Heheh...Here I was thinking, "Man that Stu sure is clever!" And then Les comes along and ruins all the fun. ;-) Seriously, it /is/ a clever hack, but I agree with Les that it is probably easier to tech your co-workers how to press the 's' key than to teach Webmin to work through an stunnel (but then, I don't know your co-workers, maybe they think "emacs" is a cheese product and can't spell "vi"). I had this problem a year or so ago, before the Lynx package that ships with Red Hat had SSL support, but since then I can think of no reason not to universally insist on SSL connections to Webmin... Les Bell wrote: Stewart Thompson <stewart.thompson@xxxxxxx> wrote: I thought I explained that in the post. The local guys need it to be as simple as possible. I only need encryption when I am coming in on the internet. I can handle the extra steps no problem. The problem with using the built in SSL, is now that is the only choice for connecting. << Wow! If I had to jump through convoluted hoops and create SSL tunnels to connect to Webmin, just because the on-site administrators can't handle typing "https:" rather than "http:" . . . well, let's just say I'd be investigating other opportunities. Preferably ones where the oncoming mountain isn't filling the windshield . . . Good luck! Sincerely, --- Les [http://www.lesbell.com.au] -- Joe Cooper <joe@xxxxxxxxxxxxx> Web caching appliances and support. http://www.swelltech.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm - Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list

Next Message by Date: click to view message preview

Re: Administer Web Servers

I have few thoughts on the port issue, but now that you've brought it up, maybe I'll start having some. Seriously though, I have a few reasons why it isn't at the top of my priorities: Webmin always runs on my machines. A user can't hijack port 10000 if something already lives there. Of course, if the user could crash Webmin (probably not impossible) then he could put something on that port to grab the passwords. This is a legitimate concern. But...I don't maintain many boxes with user accounts...Our web caches are meant to be 'login to administer it, don't add any normal users'. And the new webserver I just setup for the company has a user for me, my partner, and Jamie. I don't think I have to worry about Jamie hacking my box, and I can throw something at my co-worker if she breaks anything. Then again...a user acount is usually easier to get ahold of illicitly than root...hmmm... Caldera agrees with you, and put it on port 1000 when they were shipping Webmin. I don't know if they now ship Webmin alongside 'Volution' and whatever other proprietary stuff they use, or not, but that's the way it used to be. Anyway, I have plans to eventually build other kinds of servers, some of which will have users. At that point, I reckon I will move over to port 1000, or use capabilities of some sort to prevent users from getting at port 10000 even if they do manage to bring down Webmin. So, after having all of those thoughts, I think I agree with you Les. Webmin ought to sit on port 1000, or the system should have port 10000 made unavailable to normal users. Les Bell wrote: Joe Cooper <joe@xxxxxxxxxxxxx> wrote: maybe they think "emacs" is a cheese product << Nah, everyone knows it's a floor wax. On a serious note, any thoughts on the port 1000 vs port 10000 issue? Best, --- Les [http://www.lesbell.com.au] -- Joe Cooper <joe@xxxxxxxxxxxxx> Web caching appliances and support. http://www.swelltech.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm - Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list

Previous Message by Thread: click to view message preview

Re: Administer Web Servers

Heheh...Here I was thinking, "Man that Stu sure is clever!" And then Les comes along and ruins all the fun. ;-) Seriously, it /is/ a clever hack, but I agree with Les that it is probably easier to tech your co-workers how to press the 's' key than to teach Webmin to work through an stunnel (but then, I don't know your co-workers, maybe they think "emacs" is a cheese product and can't spell "vi"). I had this problem a year or so ago, before the Lynx package that ships with Red Hat had SSL support, but since then I can think of no reason not to universally insist on SSL connections to Webmin... Les Bell wrote: Stewart Thompson <stewart.thompson@xxxxxxx> wrote: I thought I explained that in the post. The local guys need it to be as simple as possible. I only need encryption when I am coming in on the internet. I can handle the extra steps no problem. The problem with using the built in SSL, is now that is the only choice for connecting. << Wow! If I had to jump through convoluted hoops and create SSL tunnels to connect to Webmin, just because the on-site administrators can't handle typing "https:" rather than "http:" . . . well, let's just say I'd be investigating other opportunities. Preferably ones where the oncoming mountain isn't filling the windshield . . . Good luck! Sincerely, --- Les [http://www.lesbell.com.au] -- Joe Cooper <joe@xxxxxxxxxxxxx> Web caching appliances and support. http://www.swelltech.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm - Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list

Next Message by Thread: click to view message preview

Re: Administer Web Servers

I have few thoughts on the port issue, but now that you've brought it up, maybe I'll start having some. Seriously though, I have a few reasons why it isn't at the top of my priorities: Webmin always runs on my machines. A user can't hijack port 10000 if something already lives there. Of course, if the user could crash Webmin (probably not impossible) then he could put something on that port to grab the passwords. This is a legitimate concern. But...I don't maintain many boxes with user accounts...Our web caches are meant to be 'login to administer it, don't add any normal users'. And the new webserver I just setup for the company has a user for me, my partner, and Jamie. I don't think I have to worry about Jamie hacking my box, and I can throw something at my co-worker if she breaks anything. Then again...a user acount is usually easier to get ahold of illicitly than root...hmmm... Caldera agrees with you, and put it on port 1000 when they were shipping Webmin. I don't know if they now ship Webmin alongside 'Volution' and whatever other proprietary stuff they use, or not, but that's the way it used to be. Anyway, I have plans to eventually build other kinds of servers, some of which will have users. At that point, I reckon I will move over to port 1000, or use capabilities of some sort to prevent users from getting at port 10000 even if they do manage to bring down Webmin. So, after having all of those thoughts, I think I agree with you Les. Webmin ought to sit on port 1000, or the system should have port 10000 made unavailable to normal users. Les Bell wrote: Joe Cooper <joe@xxxxxxxxxxxxx> wrote: maybe they think "emacs" is a cheese product << Nah, everyone knows it's a floor wax. On a serious note, any thoughts on the port 1000 vs port 10000 issue? Best, --- Les [http://www.lesbell.com.au] -- Joe Cooper <joe@xxxxxxxxxxxxx> Web caching appliances and support. http://www.swelltech.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm - Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list