Re: ip restriction

I'm not a security expert either, but I would suggest using both 
certificate and IP restrictions, if using certificates is feasible*. 
Realize that IP restrictions can prevent another set of attacks--those 
attacks on the security of Webmin itself that we might not yet know 
about.  The code path between "Connect->IP Check" is shorter than the 
path "Connect->Check login credentials", and thus less likely to have 
exploitable bugs.  While exploits to Webmin are rare (only one in the 
past year or more) they are possible, and thinking of ways to prevent 
them at both the firewall level and within Webmin is a good practice. 
Security has to come first...then we work out how to do our jobs 
conveniently within that security policy.

And every little bit helps...

Certficates are not feasible if you must be able to administer the box 
from multiple sites, particularly if some of those sites are untrusted. 
 I log into my server while travelling, sometimes from other peoples 
machines that I administer.  If I don't allow logins without 
certificates, I can't do that.

Panel Vincent wrote:
> Just a little note about this :
>
> It is highly recommended not to use dynamic IP adresses for any host
> related to administration. It is too trivial to 1) attack DNS servers
> when host authentication is based on hostnames and 2) use a valid IP
> adress when host authentication is based on ranges of such adress.
>
> Webmin offers the possibility to authenticate users via certificate :
> use this instead (of course you can combine ip restriction and user
> authentication). I'm certainly not a security expert but I think
> these are the basics.
>
> Vincent Panel.
>
> -----Original Message----- From:   Jamie Cameron
> [mailto:jcameron@xxxxxxxxxx] Sent: Tue 6/18/2002 1:38 AM To:
> webadmin-list@xxxxxxxxxxxxxxxxxxxxx Cc: Subject:   Re: ip restriction
>
> Ian Forsyth wrote:
>
>
>> Hi,
>>
>> concerning restricting ip access.. what is the accepted format for
>> wild card.. for instance 155.144.%..
>>
>> I want to let only six ips through to administer the server..
>> though three of those ips are dynamic.. is this currently
>> supported? what are the possible formats?
>
>
>
> You can enter networks like 154.144.0.0/255.255.0.0 for an entire
> class B network, or single IP addresses, or wildcard hostnames like
> *.foo.com. In your case, dynamic IPs could pose a problem unless you
> have hostnames associated with them. In that case, you could just
> enter the hostname into the 'IP Access Control' , and make sure the
> 'Resolve hostnames on every request' is selected.
>
> - Jamie

--
Joe Cooper <joe@xxxxxxxxxxxxx>
Web caching appliances and support.
http://www.swelltech.com



-------------------------------------------------------
                  Bringing you mounds of caffeinated joy
                  >>>     http://thinkgeek.com/sf    <<<

-
Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list