| SYSTEM INFORMATION | |
|---|---|
| OS type and version | RHEL9 |
| Webmin version | 2.101 |
| Virtualmin version | 7.8.2 |
| Related packages | SUGGESTED |
Hello
I recently updated packages and found out (Please check the screenshot) related to the security concern of the server. It’s better not to show the URL of Virtualmin dashboard in frontend. The guide is good but the URL is not good.
Do you mean the “Report”? in which case I agree.
or do you mean the domain name url at the top of the page (missing from your image) I also agree - to a lesser extent.
Remember this default page is supposed to be very temporary and very easy to replace with a blank (or more appropriate) index.page. Or an actual website perhaps.
I do prefer it to the old default page which was more of an advert.
Edit: Oh I see now the link to Virtualmin login. I don’t really see a security issue here. It just gives a login page to attack (like just about every website on the internet) and it gives the hostname rather that a real resolvable address)
That page is the initial variant of the index page in a newly created website. It will be replaced later with a real page.
It is not a security concern to display the link, as long as the webmin service is running. As very few change the default port 10000, accessing the login form is easy to do.
As a tip, in a server where there are few administrators, I recommend that the Webmin service only run when the interface is accessed for different tasks (create a user, database, …). Otherwise, it should be stopped. Webmin has protections against a number of failed logins, but it is better to use the interface only when needed, obviously on the condition that you are familiar with CLI. As far as I am concerned, I have installations where I haven’t entered the web interface for a long time.
My only problem is the email address showing. I have several domains only hosting email. Now I gotta go kill the page on these to keep bots from harvesting my email address. Sigh…
That’s not a security issue. A scan will find the port, there is no security provided by a “secret” port. Use strong passwords, enable 2FA, stay on top of updates.
And, as always, the default page is anything you want it to be. We gave you this one, but you can and should make your own that suits your business and use case.
But that would affect all sites on that IP? easier to put up a blank page or (“under construction” - I’m old fashioned.)
You got it the wrong way round that screen only allows the given ip to access webmin so it won’t affect the opperation of any site hosted on webmin
Nope, only webmin access.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.
