How to install Webmin on Ubuntu 18.04

This How To is designed to help you install Webmin on your fresh install of Ubuntu 18.04 Bionic Beaver and then walk you through some basic functionality like creating a website and adding users.  

Webmin is used to provide a web based interface for administration of your Ubuntu server rather than having to perform all of the tedious and easy to make mistakes via command line file editing.  Webmin offers a free alternative to commercial products like cPanel or Plesk.

Intended Audience

This tutorial is intended for beginner to intermediate linux uses who are looking to get started operating their own web/database/email servers and who would appreciate the use of a web interface over command line configuration of services.  Windows users also attempting to make the jump to linux might also appreciate an more staggered transition to the command line vs having to do everything in the shell all of the time right out of the gate.

Pros and Cons of using Webmin

Webmin is a pretty badass product and its hard to see the downsides of using it for your administrative tasks.  It’s not going to have as many integrations as some of the other commerical products out there but at the low low price of zero dollars its pretty awesome.  

Pre-requisites

  • Server with a fresh install of Ubuntu 18.04
  • DO NOT INSTALL THIS ON A SERVER THAT IS ALREADY IN PRODUCTION!!!!
  • $ sudo apt-get update && sudo apt-get upgrade

Lets get started

Add Webmin Ubuntu Repository

$  sudo vi /etc/apt/sources.list  ###use vi or your favorite editor like nano $  [sudo] password for user:

Here is the body of the sources.list file

deb http://archive.ubuntu.com/ubuntu bionic main universe deb http://archive.ubuntu.com/ubuntu bionic-security main universe deb http://archive.ubuntu.com/ubuntu bionic-updates main universe  ### ADD WEBMIN REPOS ### deb http://download.webmin.com/download/repository sarge contrib

Once you’ve added the repositories you can save and exit the file.

Now download the PGP key for the newly added repository

$   wget http://www.webmin.com/jcameron-key.asc --2019-05-14 02:07:26--  http://www.webmin.com/jcameron-key.asc Resolving www.webmin.com (www.webmin.com)... 216.105.38.10 Connecting to www.webmin.com (www.webmin.com)|216.105.38.10|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1320 (1.3K) [text/plain] Saving to: 'jcameron-key.asc'  jcameron-key.asc         100%[==================================>]   1.29K  --.-KB/s    in 0s        2019-05-14 02:07:26 (161 MB/s) - 'jcameron-key.asc' saved [1320/1320] 

Add the keyfile with the following command

$   sudo apt-key add jcameron-key.asc  $   sudo apt-get update  ##Update the repositories Ign:1 http://download.webmin.com/download/repository sarge InRelease Get:2 http://download.webmin.com/download/repository sarge Release [16.9 kB] Hit:3 http://archive.ubuntu.com/ubuntu bionic InRelease  Get:4 http://download.webmin.com/download/repository sarge Release.gpg [173 B] Get:5 http://archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]          Get:6 http://download.webmin.com/download/repository sarge/contrib amd64 Packages [1,383 B] Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB] Get:8 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages [334 kB] Get:9 http://archive.ubuntu.com/ubuntu bionic-security/main Translation-en [120 kB] Get:10 http://archive.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [243 kB] Get:11 http://archive.ubuntu.com/ubuntu bionic-security/universe Translation-en [139 kB] Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [599 kB] Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [221 kB] Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [933 kB] Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [273 kB] Fetched 3,059 kB in 2s (1,438 kB/s)                               Reading package lists... Done 

Now we actually install webmin and its dependencies

$   sudo apt-get install webmin Reading package lists... Done Building dependency tree        Reading state information... Done The following additional packages will be installed:   apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl   libpython-stdlib libpython2.7-minimal libpython2.7-stdlib perl-openssl-defaults python   python-minimal python2.7 python2.7-minimal Suggested packages:   python-doc python-tk python2.7-doc binutils binfmt-support The following NEW packages will be installed:   apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl   libpython-stdlib libpython2.7-minimal libpython2.7-stdlib perl-openssl-defaults python   python-minimal python2.7 python2.7-minimal webmin 0 upgraded, 14 newly installed, 0 to remove and 7 not upgraded. Need to get 21.2 MB of archives. After this operation, 193 MB of additional disk space will be used. Do you want to continue? [Y/n] Y ###make the magic happen

A bunch of stuff is going to scroll by … hopefully without errors

Setting up webmin (1.910) ... Webmin install complete. You can now login to https://ubuntu:10000/ as root with your root password, or as any user who can use sudo to run commands as root. Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for systemd (237-3ubuntu10.21) ...

 

Go to https://x.x.x.x:10000/ in your browser to bring up your webmin interface.  Hit the advanced button and then Proceed to x.x.x.x (unsafe)

Now you should see the login prompt for webmin.  Hit it with your root username and password or any user that is an eligible sudoer. 

First login is going to show you the dashboard and give you any information about security updates that are pending!

Make sure that you take care of those security updates with a reboot.  Look there’s a button! How much easier can it get!?

 

Security Precautions – Firewall Configuration for lite Zero Trust

A NOTE OF CAUTION!! YOU COULD LOCK YOURSELF AND EVERYONE ELSE OUT OF YOUR VPS DOING THIS.   From a security perspective this is a good idea, which is the beginning of so many production outages. 

From a usability perspective, you need to know what you are doing or things are going to go wrong.   If you don’t know what you are doing phone a friend or just come back to this section when you are more comfortable with iptables and firewall policy.  We’ll have a follow up tutorial on that topic. 

Resource: http://www.whatismyip.com – will show you your workstation’s public IP address.

Let’s do ourselves a “favor” here and go to Webmin > Networking > Linux Firewall and create some rules that only allow known good IPs to access the webmin administrative port?  Don’t lock yourself out. Don’t lock yourself out. Don’t lock yourself out.

IPTables (and most modern firewalls) apply rules on a first match basis.  Meaning that as soon as I have a match, it executes that match and stops caring about any rules after the match.  That means you need to place accept rules into the chain of rules before you put in your “zero trust” rules that block everything by default.  That’s right, Zero Trust just means block everything by default.

Here is the default IPtables interface in webmin before we go and mess it up.  You can see that there is an accept rule for 7777, that’s openvpn.

We need to create accept rules for any service that we want to access remotely.  I made any accept rule for Tcp/22 SSH, and an accept rule for Tcp/10000 Webmin where the source address is my workstation (x.x.x.x/32 – /32 indicates a range of 1 IP address.)

IF YOU ARE ON A PRODUCTION SERVER WITH PUBLIC FACING SERVICES AND NOT WRITING A TUTORIAL YOU WILL WANT TO CONSIDER ACCEPT RULES FOR

TCP/80  HTTP from source 0.0.0.0/0   ### web servers

TCP/443 HTTPS from source 0.0.0.0/0 ###encrypted web traffic

TCP/25 SMTP frmo source 0.0.0.0/0 ###Simple Mail Transport

FTP, Encrypted email, SSH if you want the whole world to login, webmail.   ###tutorial on zero trust and iptables forthcoming

Example of my finished firewall policy with the last two rules to drop all traffic from all sources bound for TCP and UDP ports 1:65535.  This is definitely not an elegant way to do this.

Please don’t lock yourself out of your VPS.

Cool things about Webmin

  1. There’s a web app for shell access that has translucency built into it.  Others > Command Shell
  2. There’s a partition editor if you really want to roll the dice!  Hardware > Partitions on local Disks
  3. Un-Used modules gives about 100 options for modules to install like Postfix mail server, shorewall firewall, spamassassin, etc.
  4. Cluster configuration – hopefully we’ll get to play with this in the future!  

Un-installation Procedures

Webmin is pretty invasive.  If you want to uninstall it – I recommend destroying your VPS and starting fresh.  Please don’t delete your own data doing so.

References / Appendix

  • https://doxfer.webmin.com/Webmin/Main_Page
  • IPTables summary of chain commands http://sys.u22.net/t09/t09p053.php
  • http://www.webmin.com/

Author’s bio

Sean Richards, CISSP,  is a 20 year linux enthusiast and security practitioner.  He loves animals, BBQ, and bicycles.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards

The post How to install Webmin on Ubuntu 18.04 appeared first on Low End Box.

Webmin not responding, unreadable 400 errors, Debian 9 Stretch

Webmin is installed on a Debian 9 Stretch VPS, and port 10000 is open in the firewall for tcp. I can telnet to the server on port 10000 and sit at a connection, but a web browser just times out.

In miniserv.error there is a series of “Bad Request”

In miniserv.log there are unreadable messages with the number 400, which I’m assuming refers to HTTP error 400. For example:

“���HU�XZ7�n” 400 29

I’ve turned off SSL and ipv6. Restarted Webmin several times, checked it is running, checked it is listening on port 10000. What next please?

Use NGINX to proxy webmin in /admin

I am setting up an NGINX to be a WAF (Web Application Firewall).

NGINX reverse proxy is working fine for https://hostname/, but I would like to make https://hostname/admin to be proxied into a Webmin interface.

The scenario is as follows: Internet NET = 0.0.0.0/32 Network LAN = 6.0.0.0/8 Network DMZ = 11.0.0.0/8

As NET=(router)=LAN=(nginx)=DMZ=(a few virtual machines) |—>dmz>—|

So far all is working fine, but now I want to create a Webmin into each virtual machine to be accessed by adding /admin at the end of the hostname

such as https://nas/admin

An example of the configuration file located in /etc/nginx/sites-enabled is:

server {     listen 443 ssl; # managed by Certbot     server_name nas;     location /.well-known {             alias /var/www/nas/.well-known;     }     location / {         proxy_buffers 16 4k;         proxy_buffer_size 2k;         proxy_set_header        Host $  host;         proxy_set_header        X-Real-IP $  remote_addr;         proxy_set_header        X-Forwarded-For $  proxy_add_x_forwarded_for;         proxy_set_header        X-Forwarded-Proto $  scheme;         proxy_pass          https://11.0.0.12:443;         proxy_read_timeout  90;     }     location /admin {         proxy_pass          https://11.0.0.12:10000;     }     client_max_body_size 10G;     ssl_certificate /etc/letsencrypt/live/nas/fullchain.pem;     ssl_certificate_key /etc/letsencrypt/live/nas/privkey.pem; }  server {     listen 80;     server_name nas;         return 301 https://$  host$  request_uri; } 

What am I doing wrong?

How to solve Gmail Bad Syntax address on webmin

My virtualmin server does not recieve mail. The messages bounces back to the sending server. A part of the message says:

<info-example.com@ipaddress> (expanded from <info@example.com>):      bad address syntax.  

I have checked my postfix configuration and tried to correct things but yet nothing seems to work.

This is the output from postconf -n

postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no append_dot_mydomain = yes biff = no broken_sasl_auth_clients = yes compatibility_level = 2 home_mailbox = Maildir/ inet_protocols = all mailbox_command = /usr/bin/procmail-wrapper -o -a $  DOMAIN -d $  LOGNAME mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = $  myhostname, localhost.$  mydomain, localhost, $  mydomain mydomain = example.com myhostname = www.example.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mynetworks_style = subnet myorigin = /etc/mailname non_smtpd_milters = inet:localhost:8891 readme_directory = no recipient_delimiter = + sender_bcc_maps = hash:/etc/postfix/bcc smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$  {data_directory}/smtp_scache smtpd_banner = $  myhostname ESMTP $  mail_name (Ubuntu) smtpd_error_sleep_time = 1s smtpd_hard_error_limit = 20 smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service, unix:private/policy-spf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_soft_error_limit = 10 smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$  {data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtual