I’ve been seeing unknown IPs establishing connection with webmin (at least according to netstat).
When I go to the Running Processes page I see a couple of "perl miniserv.pl miniserv.conf" processes running. Should I be concerned by this? Are these IPs actually logged-in or are these just attempts? Would changing the default webmin port (10000) be a good idea?
Webmin has logs (in /var/webmin) and there is an action log which shows every action anyone takes in Webmin, which you can browse/search within Webmin). You can see who logged in and when and what actions they took.
Thanks. I’ve checked the webmin.log file and as far as I can tell most foreign IPs only have a “failed” / “wrongpass” lines recorded. So I guess they haven’t been able to actually log-in.
I just found it strange that the extra miniserv processes that are on the Running Processes page have been running for days.
I assumed if logins weren’t successful that those processes would die eventually. I guess it’s also possible that those processes aren’t started by login attempts and it’s normal to have a couple of them running.