RE: ip restriction

Hi,

If you want to be able to manage your webmin host from multiple (untrusted) 
sites, you should use ssh : restrict IP access on your webmin host to 
"localhost" and connect to this host using ssh (with key authentication : keep 
your key on a floppy and protect it with a challenge phrase -> in case you 
loose it) and port forwarding. This is the most secure way to administer a 
machine (IMHO) : 
- you have just one open port (22)
- the application behind that port is definitely "security-oriented" (ssh)
- you can access your host from whatever OS supporting ssh (Win32, *nix, *BSD, 
even IOS...)
- you have a shell access on your host (in rare cases where you would like to 
do something webmin doesn't handle)
- you can even install VNC and manage your host as if you were behind his screen

______________________
Vincent Panel
Axen (www.axen.be)
mailto:vpanel@xxxxxxx
______________________


-----Original Message-----
From:   Joe Cooper [mailto:joe@xxxxxxxxxxxxx]
Sent:   Thu 6/20/2002 5:20 AM
To:     webadmin-list@xxxxxxxxxxxxxxxxxxxxx
Cc:     
Subject:        Re: ip restriction

I'm not a security expert either, but I would suggest using both 
certificate and IP restrictions, if using certificates is feasible*. 
Realize that IP restrictions can prevent another set of attacks--those 
attacks on the security of Webmin itself that we might not yet know 
about.  The code path between "Connect->IP Check" is shorter than the 
path "Connect->Check login credentials", and thus less likely to have 
exploitable bugs.  While exploits to Webmin are rare (only one in the 
past year or more) they are possible, and thinking of ways to prevent 
them at both the firewall level and within Webmin is a good practice. 
Security has to come first...then we work out how to do our jobs 
conveniently within that security policy.

And every little bit helps...

Certficates are not feasible if you must be able to administer the box 
from multiple sites, particularly if some of those sites are untrusted. 
  I log into my server while travelling, sometimes from other peoples 
machines that I administer.  If I don't allow logins without 
certificates, I can't do that.

Panel Vincent wrote:
 > Just a little note about this :
 >
 > It is highly recommended not to use dynamic IP adresses for any host
 > related to administration. It is too trivial to 1) attack DNS servers
 > when host authentication is based on hostnames and 2) use a valid IP
 > adress when host authentication is based on ranges of such adress.
 >
 > Webmin offers the possibility to authenticate users via certificate :
 > use this instead (of course you can combine ip restriction and user
 > authentication). I'm certainly not a security expert but I think
 > these are the basics.
 >
 > Vincent Panel.
 >
 > -----Original Message----- From:     Jamie Cameron
 > [mailto:jcameron@xxxxxxxxxx] Sent:   Tue 6/18/2002 1:38 AM To:
 > webadmin-list@xxxxxxxxxxxxxxxxxxxxx Cc: Subject:     Re: ip restriction
 >
 > Ian Forsyth wrote:
 >
 >
 >> Hi,
 >>
 >> concerning restricting ip access.. what is the accepted format for
 >> wild card.. for instance 155.144.%..
 >>
 >> I want to let only six ips through to administer the server..
 >> though three of those ips are dynamic.. is this currently
 >> supported? what are the possible formats?
 >
 >
 >
 > You can enter networks like 154.144.0.0/255.255.0.0 for an entire
 > class B network, or single IP addresses, or wildcard hostnames like
 > *.foo.com. In your case, dynamic IPs could pose a problem unless you
 > have hostnames associated with them. In that case, you could just
 > enter the hostname into the 'IP Access Control' , and make sure the
 > 'Resolve hostnames on every request' is selected.
 >
 > - Jamie

-- 
Joe Cooper <joe@xxxxxxxxxxxxx>
Web caching appliances and support.
http://www.swelltech.com



-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

-
Forwarded by the Webmin mailing list at webadmin-list@xxxxxxxxxxxxxxxxxxxxx
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list

<<winmail.dat>>