Changing Webmin Port

From SuperbHosting.net Support Wiki

1 Introduction
2 Methods
- 2.1 Webmin Configuration miniserv.conf
- 2.2 IPTABLES Pre-Routing Redirect Rule
3 Vulnerability Info

Introduction

Due to security vulnerabilities on older installations of Webmin, port 10000 has been globally blocked. We plan to remove this global block once the vulnerable versions of Webmin are no longer used. In the meantime, customers can use a different port.

Methods

There are two methods for changing the Webmin port:

1) Edit Webmin's configuration to listen on a non-standard port
2) Create a pre-routing redirect rule with iptables

You only need to choose one of the aforementioned methods, though the best solution is to change the Webmin configuration.

Webmin Configuration miniserv.conf

The Webmin configuration is located at /etc/Webmin/miniserv.conf and contains two options to be modified.

First, make sure the file exists:

# more /etc/Webmin/miniserv.conf|grep 10000
port=10000
listen=10000

You may use your text editor of choice to edit the file. This example will create a backup and change the port to 10001 using sed. Sed will read the miniserv.conf.bak file and then change anything with 10000 to 10001 to overwrite the miniserv.conf file with.

Cheat code:

# cd /etc/[[Webmin]]/ && cp miniserv.conf miniserv.conf.bak && sed 's|10000|10001|' <miniserv.conf.bak>miniserv.conf && /etc/init.d/Webmin restart

Check the work to ensure it has been applied:

# more miniserv.conf|grep 10001
port=10001
listen=10001

Now, test port 10001 and release the ticket for approval.

IPTABLES Pre-Routing Redirect Rule

This method can be executed at the shell prompt for instant results without changing the Webmin configuration or restarting the service. This is not recommended if the client uses a firewall daemon (APF or CSF) so you should change the Webmin config file and edit the firewall daemon's config instead.

Assuming that you are dealing with the standard IPTABLES without any fancy daemons like APF or CSF, you can run the following commands to apply the new rules. This example pre-routes 10001 to 10000 so the new port the client would use from the outside is 10001.

#iptables -t nat -A PREROUTING -p tcp --dport 10001 -j REDIRECT --to-ports 10000
#iptables -t nat -A PREROUTING -p udp --dport 10001 -j REDIRECT --to-ports 10000

Test port 10001 in your web browser and if everything checks out run the following to save the rules so it's not lost during the next reboot.

#iptables-save -c > /etc/iptables-save

Test port 10001 and release for approval.

Vulnerability Info

There is an arbitrary file disclosure vulnerability for Webmin versions ≤1.280 (excluding 1.220) Simply upgrade Webmin to versions ≥1.290. Current version is 1.400.

Webmin v1.400 SourceForge RPM NoArch Download

References:
Webmin Home Download Page
Milw0rm: Webmin Perl Exploit
Milw0rm: Webmin PHP Exploit
Securiteam: Webmin information and Exploit

Retrieved from "http://www.superbhosting.net/support-wiki/Changing_Webmin_Port"

Categories: Dedicated Servers | Software & Applications