[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Connection to Webmin



antonio montagnani mentioned:
> http://localhost:10000/ works

Alexander Dalloz wrote:
> What is you problem with it? I would even say, running webmin over plain
> http and not http/ssl secured is plain stupid.

In this particular example, it's merely bad practice. It's safe enough
in that example because the data never leaves the machine (it will go
over the loopback interface).  And if the computer is properly
firewalled, no-one can get at port 10000 from outside. And the standard
Fedora firewall will do this.

If the standard firewall is *not* enabled, but Webmin is only run from
the machine in question, then the password still never leaves the
machine, and an attacker is limited to finding bugs or brute-forcing the
password. And SSH is as vulnerable.

I'd even call it safe over a trusted network, where you are sure none of
the machines are compromised, they're all under your control, and you
can see the wires (although I still don't fully trust wireless
encryption). A very small office or a home office, perhaps.

No, the reason I think it bad practice is simply because you may forget
and think it safe when you do administer over a not-fully-trusted
network.

James.

-- 
E-mail address: james | "Luck is my middle name," said Rincewind,
@westexe.demon.co.uk  | indistinctly. "Mind you, my first name is Bad."
                      |     -- Terry Pratchett, Interesting Times


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]