Restrict access to webmin admin panel

Peramin · August 5, 2023, 8:23am

System hostname	redacted.something.cloud (88.88.88.77)	Operating system	Debian Linux 10
Webmin version	2.021	Usermin version	1.861
Virtualmin version	7.7	Authentic theme version	20.21

I would try all the below mentioned questions myself but I don’t want to lock myself out, thank you for understanding

Ok, I’m posting this after having done my own research but don’t feel like I found a satisfying answer myself. I employed ChatGPT as well but it seems to provide information that is outdated or just wrong…
Anyway, here is my situation:
I have a small webserver in the cloud. Access to it is restricted and only allowed for one specific IP address and SSH PKI + Passphrase.

On it, I installed Virtualmin and set up a virtual server redacted.something.cloud - I set up 2FA on it. I’m trying to achive the following outcome:
The root-admin-webmin-panel should not be accessible from anywhere on the internet. So to achive this, according to my current knowledge, I could go two ways:

I’m not 100% sure what the difference between those two options is. I have a Dyndns-service for my home network, so if I put in mydyndns.com in the allowed IP address, I should be able to login from only when I’m connected to my home network, right?
On the other hand, if I Bind to IP address in Listen on IPs and ports, I could do the same + specify the port. I have read on the wiki about these two and it says: “Webmin usually listens for connections on port 10000 on all of your system’s IP addresses.”

OK, so if I have multiple virtual servers
redacted1.something.cloud
redacted2.something.cloud
redacted3.something.cloud
admn.something.cloud

By setting up IP Access control and specifying Ports and Addresses, I could achieve my desired outcome:

Access Webmin Admin panel only from IP Address 91.54.10.10 by typing in the browser https://admn.something.cloud:989

Ok, so I also found this option that is kind of obvious and I feel a bit stupid for not having seen it so far: Under VirtualMin → Edit Virtual Servers, I have disabled the apache server for the admn.something.cloud and disabled the virtualmin login for the other subdomains. But it still doesn’t work on the root account, I can still see the login page for the non-admin domains with the right port.

Joe · August 5, 2023, 8:56pm

ChatGPT invents things. It is not out-dated, it just makes shit up. It sounds plausible, has good grammar, speaks with confidence…so, it’s very good at selling you on the idea that it knows what it’s talking about, but it really doesn’t.

Nothing in this area of Webmin has ever changed in significant ways. Jamie’s book covered it, and thus it’s in the wiki. I’d suggest starting there, rather than by asking a pathological liar for help. https://doxfer.webmin.com/Webmin/Webmin_Configuration

One is for access control (what IPs can connect to Webmin), the other determines which IPs and ports Webmin listens on.

Joe · August 5, 2023, 9:07pm

Those two facts are unrelated. Virtual servers are generally name-based. Names have little to do with IP addresses.

Listening also has nothing to do with access control, unless you have a private network of some sort (either a VPN or a local non-routed network like 192.168.x.x or 10.x.x.x) and you make Webmin listen only on the private network. Ports and Addresses is not an access control feature.

Peramin · August 6, 2023, 6:12am

yes I think this is what I don’t understand. because, without access control with a specified IP Address, I don’t see how I would someone prevent from being able to see the log-in screen for the admin panel if two domains pointing to the same ip address - even if I disable the admin panel on one domain, after it’s been resolved it would still work in the form of 34.34.34.34:port -

I set up MFA for now without access control by IP and have changed the port to something else than 10000, due to convenience as I don’t have an ip address that I could use for logging in. If my ip changes I have to edit miniserv.conf in the server to be able to access again.

I could also use a dyndns service probably, if virtualmin accepts this type of entry

Joe · August 6, 2023, 6:57am

Those two things are unrelated. What domain name you browse to has nothing to do with which IPs Webmin will respond to, regardless of the IP they resolve to. I mean, you could have five IPs with five domains, and that still would not make domain names matter to IP access control. They’re not related.

The IP of the client is what IP access control is based on, and it does not matter what IP they are connecting to. (I mean, Webmin can listen on one or all addresses, and listens on all by default, but any client IP can connect to Webmin on whatever IP is it listening on, unless you explicitly configure it to do otherwise.)

I don’t know how to break these two ideas apart for you. It’s making it difficult for you, but I don’t know how to fix it. I don’t know what ChatGPT said to make these two wholly unrelated things combine into one concept for you, but it wasn’t doing you any favors.

To be clear: Listening address and domain names in Virtualmin don’t/can’t have anything to do with who can connect to Webmin.

Peramin · August 6, 2023, 7:19am

Maybe I’m trying to configure something I don’t understand the basics of, but now I started… I mean I used chatgpt because I can ask it stupid questions and it appears helpful, but if it mixes concepts and I learn them the wrong way you’re right it’s not doing me any favors.

What I meant is this: if someone browses to a domain using a url like example.com, that domain resolves to an ip address. And if that user or client finds the right port, they could get to the log-in screen for the admin panel, correct?

So, the only way to prevent some random client accessing webmin is by configuring ip access control and set it to an authorized IP address, i.e., my own client, correct?

→ which means webmin does not respond to anything but this ip address.

So this is the only option if I understand you correctly?
if IP Access is configured to any ip address, any client can connect to webmin using ipaddress+:port, regardless of any virtual servers etc.

I hope I got it now…

Joe · August 6, 2023, 7:35am

Yes. But, “find the right port” sort of implies you can hide a port. nmap takes a few seconds to find all open ports on a system, and many tools will make guesses about what’s running on any given port (a web server, like Webmin, or like Apache, has to respond in certain ways to be a web server).

Not the only way, but the only way in Webmin itself that you can prevent anyone on an untrusted IP from connecting at all.

Obviously, someone needs a valid username and password, and if you configure 2FA, they also need the second factor.

You could instead use a firewall to prevent access, but that again is based on an IP (even if you give it a hostname, it resolves at the time of rule creation, and won’t update automatically in the future without some extra steps…the same is true of Webmin). If you’re on a dynamic IP, you’d need a dynamic process to allow it.

That’s correct. Virtual servers are irrelevant. Webmin only uses information from Virtualmin domains to pick which TLS certificate to serve, if you connect using a domain name that is managed by Virtualmin.

system · August 14, 2023, 7:36am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.