every time I see the “>_” terminal symbol when opening a webmin/virtualmin web interface I
wonder if it is possible to safely disable this.
Why: all my servers can be connected via ssh only using openssh key, not using passwords.
Opening terminal access via (user/password) Webmin login makes this … feeling unsecure, at least.
In authentic theme configuration, it is possible to set “Show terminal button” to off.
Does this mean that this “terminal” is then really disabled, or can this be used by some, say, hidden
url?
Is it possible to use ssl client certificate for webmin access, meaning: no user/password login
any more, so no one can try user/password combinations?
Surely, I can bind webmin to localhost and connect only by ssh tunnel, but … then, no clients
without ssh access could connect to the webmin interface.
Thanx for your answers or suggestions,
best regards
Falko
If you moved Virtualmin, Usermin, sFTP, SSH… from their default ports and have installed Fail2Ban you are safe from bruteforce attacks. For direct SSH access instead of password you can use the key and it will not affect Virtualmin login.
Disable the Command Shell module for whatever user you want to not have this ability. To do that, browse to Webmin->Webmin->Webmin Users->Username->Available Webmin Modules and then uncheck the box next to Command Shell in the Others category. The Authentic Theme shell takes its permissions from the Command Shell module, so this will cause the button to disappear and disable the hotkey to bring up the terminal.
At the theme preferences level:
Open “Theme Settings” (the gears icon in the left hand menu is the quickest way to get there), and find the option labeled Show terminal button. Set it to No.
Also, set Hotkey for shell to nothing (delete the letter “k” in that option).
Save it.
The former method is the one that probably does what you want…if you just disable it in the theme, you’re still leaving access to the Command Shell module, which does the exact same thing, in a slightly less attractive way. There’s also the SSH Login and SSH Login modules, which provide interactive terminal access. But, honestly, if someone has root access to Webmin, disabling the shell isn’t a security improvement. Root access to Webmin is root access to your system, and there’s any number of ways to use that access to cause damage. So, make sure you’re using good practices with regard to passwords, maybe enable 2FA, etc.
Yes, we disable password access for ssh, activate fail2ban and allow only access by openssh.
Only changing default ports is IMHO not enough, as other ports can easily be scanned.
That’s why I asked if there is a way to use ssl client certificates for browser access. Other than that, we can only bind webmin to localhost and use ssh tunnel.