knowledgebase/filtered webmin We've all recently saw what happens when a popular running-as-root piece of package gets an exploit in the wild. I'm talking about webmin. Thousands of servers were compromised in a matter of days, not just in Rimuhosting, but a lot of our customers did get their VPS compromised. Now, we can't blame the webmin developers (although they did fall for a very simple bug...), errors in software is absolutely unavoidable, sooner or later this was going to happen, and, guess what, it will happen again. Since we know this will happen again we should wonder, is there something we can do to prevent our servers and VPS from getting compromised again? Of course there is! Do you *really* use webmin all over the internet? For the 99.9% of webmin users the answer is simply *no*, at most we use it from a couple of computers, home? the office? some remote place while we are in vacations? Yes... that's basically it... So, I'd recommend that if you want to prevent your server from getting compromised again you whitelist webmin. To do this you would add an allow-my-home, allow-my-office, deny-rest. Let's set it up: {code} iptables -I INPUT 1 -p tcp --dport $WEBMIN_PORT -j DROP {code} Now, let's write an script that will add a client as an authorized user for webmin: {code} echo '#!/bin/bash WEBMIN_PORT=__10000__ if [ "$1" != "" ]; then IP=$1; else IP=`echo $SSH_CLIENT | cut -f1 -d" "`; fi if [ "$IP" = "" ]; then echo "Specify the IP address you want to add as allowed"; exit; fi iptables -I INPUT 1 -p tcp --dport $WEBMIN_PORT -s $IP -j ACCEPT if [ "$?" != "0" ]; then echo "IP not added"; else echo "$IP added"; fi' > /usr/bin/webmin_add chmod 755 /usr/bin/webmin_add echo '#!/bin/bash WEBMIN_PORT=__10000__ if [ "$1" != "" ]; then IP=$1; else IP=`echo $SSH_CLIENT | cut -f1 -d" "`; fi if [ "$IP" = "" ]; then echo "Specify the IP address you want to remove as allowed"; exit; fi iptables -D INPUT -p tcp --dport __10000__ -s $IP -j ACCEPT if [ "$?" != "0" ]; then echo "IP not removed"; else echo "$IP removed"; fi' > /usr/bin/webmin_remove chmod 755 /usr/bin/webmin_remove {code} Now, whenever you want to use webmin from a different computer (or IP) you would run: {code} webmin_add {code} as root, or to allow a particular IP: {code} webmin_add IP {code} When you are done using webmin run: {code} webmin_remove {code} or to stop allowing a particular IP: {code} webmin_remove IP {code} __NOTE:__ Throughout the scripts the port 10000 has been highlighted, replace 10000 with the port where your webmin is running. 2006-08-13 10:21:24.0 2006-08-13 10:21:24.0