[Quick Tips] : Install and enable Webmin SSL on CentOS

Install and enable Webmin SSL on CentOS

Webmin is great user friendly web based control panel or any linux server. Webmin is free, flexible, and very lean. Compare to Cpanel, DirectAdmin, Plesk control panel for hosting environment, webmin uses very little resources while being very functional. Webmin is a very powerful control panel to literally control everything of your server. Webmin can run on wide range Linux distributions, like BSDI, Centos, CloudLinux, FreeBSD, Fedora, Gentoo, Linux Mint, Ubuntu, Mac OS, and lots more. Webmin comes with many standard modules as well as many third party modules. Some useful standard modules from webmin

• Bootup and Shutdown
• Disk and Network Filesystems
• System Logs
• Users and Groups
• Apache Webserver
• BIND DNS Server
• DHCP Server
• MySQL Database Server
• ProFTPD Server
• SSH Server
• Samba Windows File Sharing
• Bandwidth Monitoring
• Linux Firewall

In this article, I’m going to show you how to install webmin on a centos server

First, you need some extra packages to run webmin over SSL (Secure Sockets Layer) which is more secure.

1	# yum install openssl openssl-devel perl perl-Net-SSLeay perl-Crypt-SSLeay

Install Webmin via webmin RPM package

To fetch and install GPG key with which the packages are signed

1	# wget http://www.webmin.com/jcameron-key.asc

1	# rpm --import jcameron-key.asc

Download Webmin for Centos/Fedora/Redhat

1	# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.710-1.noarch.rpm

Finally you can install webmin on Centos

1	# rpm -U webmin-1.710-1.noarch.rpm

Install Webmin via Webmin YUM repository

If you want to install webmin via YUM repository, you can create webmin.repo file in your Centos system

1	# nano /etc/yum.repos.d/webmin.repo

With the content

1 2 3 4 5

[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1

Save the file, now you will be able to install and update webmin via yum command as normal yum package.

1 2 3

# yum update   <h1>yum install webmin</h1>

Login to Webmin

After you installed webmin, you can start to use it, since webmin is web based control panel. You can use webmin to control your server over the internet through a web interface. Standard/default webmin installation will be using port 10000 over http protocol. You can change webmin default port after you login to webmin. Your webmin login should be your root user and your root password.

For non SSL webmin login

1	http://yourhostname.com:10000

For SSL webmin login

1	https://yourhostname.com:10000

Share It:

[Linux Server] : How to install, config and secure openssh server

How to install, config and secure openssh server

OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including username and password) over the wire in unencrypted form, and provides host authentication, to verify that you really are talking to the system that you think you are and that no one else can take over that session. Currently OpenSSH can be used with OpenBSD, NetBSD, FreeBSD, AIX, HP-UX, IRIX, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF, Mac OS X, Cygwin.

Install OpenSSH

You will want your system can both receive and make connections via OpenSSH, so you will need to install server and client packages
For Ubuntu, Mint, or Debian based distributions

1	# apt-get install openssh openssh-server openssh-client

For Fedora, Centos, or Red Hat based distributions

1	# yum install openssh openssh-server openssh-clients

Config and Secure OpenSSH
Default openssh config files
/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.

Default openssh port
TCP 22

There are a few tweaks and changes before you open up your ssh server to connections from the outside world.

1. Disable OpenSSH server

You should disable and remove openssh on machines that you don’t need connections to, like workstation, laptop

For Ubuntu, Mint, or Debian based distributions

1	# apt-get remove openssh-server

For Fedora, Centos, or Red Hat based distributions

1 2 3

# chkconfig sshd off   <h1>yum erase openssh-server</h1>

You will need to update and restart your iptables if you have one to remove ssh exception rule.

1	# nano /etc/sysconfig/iptables

2. Only Use SSH Protocol 2

Make sure its in your openssh server config file

1	Protocol 2

3. Limit access to ssh server

Only allow certain user/users to access your ssh server and deny user/users you don’t want to access to ssh server.

To allow user/users, add this to sshd_config

1	AllowUsers tom marry mike

To deny

1	DenyUsers root jenny

Personally i highly suggest you deny root user on ssh server and ssh with normal unprivileged user, then you can become root after that.

To become root you can use su command

For Ubuntu, Mint, or Debian based distributions

1

$ sudo su

For Fedora, Centos, or Red Hat based distributions

1

$su -

Config Idle Log Out Timeout Interval

You would not want to leave your ssh session unattended, having idle log out timeout is a good idea to do so. Here i set mine at 300 seconds or 5 minutes

1 2	ClientAliveInterval 300 ClientAliveCountMax 0

4. Disable .rhosts Files

Linux are file based Operating System. If attackers use a network analyzer to launch a buffer overflow attack and capture a user ID and password, attackers can see what the system give out permission to that specific user. That’s why to protect .rhosts file.

1	IgnoreRhosts yes

5. Disable Host-Based Authentication

HostbasedAuthentication no

6. Disable root Login via SSH

As I mentioned before, you dont want to login with your root account. Besind deny user root, you should also disallow it.

1	PermitRootLogin no

7. Having a Warning Banner

This is not really effective to against somebody want to break in your ssh server, but it’s cool to have one and sort of legal warning. We will place the warning notice in /etc/ssh/ssh_banner file

Create ssh Banner

1	# nano /etc/ssh/ssh_banner

Sample warning banner /etc/ssh_banner

1 2 3 4 5 6

************************************************   NOTICE TO USERS WARNING! The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy.   *************************************************

8. Change SSH server port

After deny and disallow root login at number 3. and 7., I belive changing ssh server port to a non-standard port is the second most important effective way to prevent break in ssh server. Ibelive (I might be wrong) anything between port 1024 to 65535 is safe to use.

1	Port 10000

9. Disable Empty Passwords

You don’t want anyone to login to your ssh server with an empty password

1	PermitEmptyPasswords no

10. Use StrictModes

StrictModes let ssh check user’s permissions in their home directory and rhosts file before allow ssh login to make sure users don’t leave their directories and files write-able to others in the same host/system.
Under # Authentication:, uncomment StrictModes, LoginGraceTime, PermitRootLogin, MaxAuthTries, and MaxSessions

1 2 3 4 5 6 7

# Authentication:   LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 6 MaxSessions 10

Share It: