Difference between revisions of "Webmin to remotely administer your LinkStation"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(attribution)
m (Install Webmin(FreeLink))
 
(41 intermediate revisions by 13 users not shown)
Line 1: Line 1:
1. I have posted several Webmin screenshots at the end of this page. Install Webmin and its related packages. This will install the core features, the CPAN interface (for installing Perl modules), a java-based file manager, and firewall (iptables) manager. Use the command:
+
{{Template:Articles}}''<font color=red><small>This article based on work done by Frontalot at Linkstationwiki.org</small></font>''
 +
[[Image:Webmin.jpg|300px|right]]
 +
=Background=
 +
'''[[w:Webmin|Webmin]]'''<ref>[[w:Webmin|Wikipedia:Webmin]]</ref> is a system configuration tool for [[w:Unix-like|Unix-like]] systems. It has a web-based [[w:User interface|interface]] ([[w:GUI|GUI]]) [[w:desktop environment|desktop environment]] independent, for configuring some of the internals of the [[w:operating system|operating system]]. Webmin<ref>[http://www.webmin.com/ Webmin website]</ref> is largely based on [[w:Perl|Perl]], and is running as its own process, and [[w:webserver|webserver]]. It usually uses [[w:Transmission Control Protocol|TCP]] port 10000 for communicating, and can be configured to use [[w:Secure Sockets Layer|SSL]] if [[w:OpenSSL|OpenSSL]] is installed. It is built around [[w:module|module]]s, which have an [[w:Interface (computer science)|interface]] to the [[w:config|config]] files, and an interface to the webmin server. This makes it easy to add new functionality, without too much work. And due to Webmin's modular design, it would be possible, for anyone who is interested, to write plugins for [[w:desktop|desktop]] configuration. Webmin also allows for controlling many machines through a single interface, or seamless login on other webmin hosts in the same [[w:LAN|LAN]]. Primarily coded by Australian Jamie Cameron, Webmin is released under the [[w:BSD license|BSD license]]. Webmin has a sister project, called [[w:Usermin|Usermin]], which is similar to Webmin<ref>[http://www.webmin.com/index6.html Usermin website]</ref>, only designed for general usage tasks, not just administration tasks.
  
<font color=red>apt-get install webmin webmin-core webmin-cpan webmin-filemanager webmin-inetd webmin-logrotate webmin-firewall</font>
 
  
2. If you installed OpenSSH:
+
=Install Webmin(FreeLink)=
 +
For Debian, Webmin no longer exists in the Stable repository. It was removed some time ago from unstable at the request of the maintainer.  As a result it never made it into testing and at present does not exist in Etch (the current Stable)<ref>
 +
[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343897 Debian Bug report logs - #343897 ftp.debian.org: Please remove all webmin related packages]</ref>
  
<font color=red>apt-get install webmin-sshd</font>
+
You can install webmin from a .DEB file from the webmin site<ref>http://webmin.com/</ref> by installing some associated perl dependancies and the webmin dpkg.
  
2. If you installed Samba:
+
  wget http://prdownloads.sourceforge.net/webadmin/webmin_1.560_all.deb
 +
  apt-get install libnet-ssleay-perl  openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl apt-show-versions
 +
  dpkg -i webmin_1.560_all.deb
  
<font color=red>apt-get install webmin-samba</font>
+
There is also a really nice theme at StressFree Solutions: the '''Webmin 'Tiger' theme'''<ref>[http://www.stress-free.co.nz/webmin-theme StressFree Solutions: Webmin 'Tiger' theme]</ref> It features a graphical look, high colour icons, dropdown menus and an AJAX search tool for locating Webmin modules quickly.  It's free but you should consider supporting him on his site if you use it.  The following bit should automatically install this theme.
  
3. If you installed Apache:
+
  wget http://www.stress-free.co.nz/files/theme-stressfree.tar.gz
 +
  tar -C /usr/share/webmin -xvzf theme-stressfree.tar.gz
 +
  sed -e 's@^preroot.*$@preroot=theme-stressfree@' < /etc/webmin/miniserv.conf > /tmp/file
 +
  cat /tmp/file > /etc/webmin/miniserv.conf
 +
  sed -e 's@^theme.*$@theme=theme-stressfree@' < /etc/webmin/config > /tmp/file
 +
  cat /tmp/file > /etc/webmin/config
 +
  /etc/webmin/restart
  
<font color=red>apt-get install webmin-apache webmin-htaccess </font>
+
==Installing Modules==
 +
Once you have downloaded a new module as a .wbm file, enter the Webmin Configuration module and click on the Webmin Modules button. Then use the form at the top of the page to install the module either from the local filesystem of the server Webmin is running on, or uploaded from the client your browser is on.
  
4. If you installed MySQL:
+
Take a look at the Webmin Wiki for more information <ref>[http://doxfer.com/Webmin  Docs for Webmin]</ref>
  
<font color=red>apt-get install webmin-mysql webmin-exim </font>
 
  
5. If you installed Snort:
 
  
<font color=red>apt-get install webmin-snort </font>
 
  
6. Edit <font color=red>/etc/webmin/miniserv.conf</font> to allow your IP address (under the "allow" line).
+
===Give your clients a boost===
 +
Edit your /etc/hosts file to add all LAN & external hosts
 +
you plan to login from. This is optional but will give you
 +
a faster connection.
  
7. Log in to Webmin as root, using the current root password. The default port is 10000.
+
/etc/hosts:
  
8. Select the Webmin Configuration icon and adjust the settings. I highly recommend changing the port to something other than 10000, limiting access to your IP address(es), using SSL encryption (disable non-SSL access), enabling password timeouts and session authentication, and using MD5 encryption for passwords.
+
127.0.0.1 Linkstation localhost <= should be there already
 +
192.168.0.100 MyPc1
 +
192.168.0.101 MyPc2
 +
...
  
9. Also, select System, then Disk and Network Filesystems, and ensure everything is correct (such as the swap space being enabled).
+
===Allow your IP address===
 +
:The file you need to modify is <tt>/etc/webmin/miniserv.conf</tt> , in particular the <tt>allow=</tt> or <tt>deny=</tt> lines. If the <tt>allow=</tt> line exists, it contains a list of all addresses and networks that are allowed to connect to Webmin. Similarly, the <tt>deny=</tt> line contains addresses that are not allowed to connect. After modifying this file, you need to run <tt>/etc/webmin/stop</tt> ; <tt>/etc/webmin/start</tt> for the changes to take effect. Naturally, the file can only be edited by the root user.
  
10. Browse around Webmin and you'll find a plethora of things to control/customize. I'll cover the major ones below.
+
Example:
 +
allow=0.0.0.0
 +
will allow all users from anywhere to login
  
NOTE: For extra security you can disable Webmin when it's not needed and enable it when it is needed. Use the commands:
+
===Log in to Webmin as root===
 +
:using the current root password. The default port is 10000.
 +
===Select the Webmin Configuration icon===
 +
:Adjust the settings. I highly recommend changing the port to something other than 10000, limiting access to your IP address(es), using SSL encryption (disable non-SSL access), enabling password timeouts and session authentication, and using MD5 encryption for passwords.
 +
===Ensure everything is correct===
 +
:Also, select System, then Disk and Network Filesystems, and ensure everything is correct (such as the swap space being enabled). NOTE: For extra security you can disable Webmin when it's not needed and enable it when it is needed. Use the commands:
 +
<font color=red>/etc/webmin/stop</font>
 +
<font color=red>/etc/webmin/start</font>
 +
Look at the webmin faq for more info<ref>[http://www.webmin.com/faq.html Webmin:Frequently Asked Questions]</ref>
  
<font color=red>/etc/webmin/stop </font>
+
=Configuring Modules=
<font color=red>/etc/webmin/start </font>
+
== Configuring Samba ==
 
+
#Click on the Servers tab, then click on the [[Samba - a Windows-readable file share|Samba]] icon.
----
+
#Let's start by configuring some settings and tuning the performance variables. Click on the Unix Networking Options icon. Here is a good base configuration:
 
+
##'''Idle time before disconnect - Never'''
=== Configuring Samba ===
+
##'''Trusted hosts/users file - None'''
 
+
##'''Network interfaces - Automatic'''
1. Click on the Servers tab, then click on the Samba icon.
+
##'''Keepalive packets - Don't send any Send every Secs'''
 
+
##'''Maximum packet size - Default Bytes'''
2. Let's start by configuring some settings and tuning the performance variables. Click on the Unix Networking Options icon. Here is a good base configuration:
+
##'''Listen on address - All'''
 
+
##'''Socket options - TCP_NODELAY, IPTOS_LOWDELAY, SO_SNDBUF 4096'''
<font color=red>
+
#Click save after each completing each section. Remember this is only a base configuration and you may need to adjust them for your particular system and needs. Now click on the Windows Networking Options icon. Make sure your correct workgroup is entered. You shouldn't need to change any other settings.
Idle time before disconnect - Never
+
#Now click on the Authentication icon. Select yes for encrypted passwords, no to null passwords, and no to change Unix passwords.
Trusted hosts/users file - None
+
#Select Miscellaneous Options. The following is a good base configuration:
Network interfaces - Automatic
+
##'''Debug Level - Default'''
Keepalive packets - Don't send any Send every Secs
+
##'''Cache getwd() calls? - Yes'''
Maximum packet size - Default Bytes
+
##'''Lock directory - Default'''
Listen on address - All
+
##'''Log file - Default'''  
Socket options - TCP_NODELAY, IPTOS_LOWDELAY, SO_SNDBUF 4096
+
##'''Max log size - 1,000 kB'''
</font>
+
##'''Allow raw reads? - Yes'''
 
+
##'''Allow raw writes? - Yes'''
3. Click save after each completing each section. Remember this is only a base configuration and you may need to adjust them for your particular system and needs. Now click on the Windows Networking Options icon. Make sure your correct workgroup is entered. You shouldn't need to change any other settings.
+
##'''Overlapping read size - Default'''
 
+
##'''chroot() directory - None'''
4. Now click on the Authentication icon. Select yes for encrypted passwords, no to null passwords, and no to change Unix passwords.
+
##'''Path to smbrun - Default'''  
 
+
##'''Client time offset - 0 Mins'''
5. Select Miscellaneous Options. The following is a good base configuration:
+
##'''Read prediction? - No'''
 
+
#It may sound incorrect, but do not select read prediction as it actually decreases performance in most situations.
<font color=red>
+
#Next click on Convert Unix Users to Samba Users and do just as the title implies.
Debug Level - Default
+
#Select Edit Samba Users and Passwords and make sure to enable the accounts you wish to use and disable the accounts you don't wish to use.
Cache getwd() calls? - Yes
+
#Then click on Create a New File Share and create a file share via the user you wish to own this share (not root). Make sure that this user has the appropriate permissions to create the share. This is the number one problem users encounter so I will repeat it one more time: Make sure that this user has the appropriate permissions to create the share.
Lock directory - Default
+
#Select Security and Access Control and customize the permissions to your needs.
Log file - Default   
+
#Click on Restart Samba Servers and you're done!
Max log size - 1,000 kB
+
== Configuring Apache ==
Allow raw reads? - Yes
+
#You can configure Apache through Webmin by selecting Servers, then clicking the Apache icon. However, I find it much easier to edit the <tt>/etc/apache/httpd.conf</tt> file<ref>[http://penguin.triumf.ca/httpd-ssl.conf.html An Example /etc/apache/httpd.conf]</ref>. Everything is clearly documented and virtually idiot-proof.
Allow raw writes? - Yes
+
== Configuring MySQL ==
Overlapping read size - Default
+
#Select Servers, MySQL Database Server, User Permissions, and update the usernames and passwords. Don't delete the default Debian account!
chroot() directory - None
+
#Select Backup Databases and set up a backup schedule. This is very, very important (lest you wish to start from scratch)!
Path to smbrun - Default   
+
#You can manually add/delete databases, tables, and so on. However, most programs will automatically create their necessary tables and only require that you create an appropriate user.
Client time offset - 0 Mins
+
== Configuring Snort ==
Read prediction? - No
+
#Select Servers then Snort IDS. Enable or disable the rules you want. Most rules are enabled by default and will work as such; the rules which are not enabled by default require extensive customization to configure (something I can't cover here).
</font>
+
#Next select Network Settings and ensure all the port settings are correct.
 
+
#Click on Edit Config File and make sure all your information is correct, including the HTTP_PORTS and RULE_PATH. If you're having trouble with rules not being found, try manually entering the rule path (for example, <tt>/etc/snort/rules/local.rules</tt>) or completely removing the rule path (for example, <tt>local.rules</tt>).
6. It may sound incorrect, but do not select read prediction as it actually decreases performance in most situations.
+
#Restart Snort and you're good to go. I highly recommend you do a more thorough reading on Snort. You can download new rules, learn to create custom rules, and more at the official website<ref>[http://www.snort.org Snort - the de facto standard for intrusion detection/prevention]</ref>.
 
+
7. Next click on Convert Unix Users to Samba Users and do just as the title implies.
+
 
+
8. Select Edit Samba Users and Passwords and make sure to enable the accounts you wish to use and disable the accounts you don't wish to use.
+
 
+
9. Then click on Create a New File Share and create a file share via the user you wish to own this share (not root). Make sure that this user has the appropriate permissions to create the share. This is the number one problem users encounter so I will repeat it one more time: Make sure that this user has the appropriate permissions to create the share.
+
 
+
10. Select Security and Access Control and customize the permissions to your needs.
+
 
+
11. Click on Restart Samba Servers and you're done!
+
 
+
----
+
 
+
=== Configuring Apache ===
+
 
+
1. You can configure Apache through Webmin by selecting Servers, then clicking the Apache icon. However, I find it much easier to edit the <font color=red>/etc/apache/httpd.conf</font> file. Everything is clearly documented and virtually idiot-proof.
+
 
+
----
+
 
+
=== Configuring MySQL ===
+
 
+
1. Select Servers, MySQL Database Server, User Permissions, and update the usernames and passwords. Don't delete the default Debian account!
+
 
+
2. Select Backup Databases and set up a backup schedule. This is very, very important (lest you wish to start from scratch)!
+
 
+
3. You can manually add/delete databases, tables, and so on. However, most programs will automatically create their necessary tables and only require that you create an appropriate user.
+
 
+
----
+
 
+
=== Configuring Snort ===
+
 
+
1. Select Servers then Snort IDS. Enable or disable the rules you want. Most rules are enabled by default and will work as such; the rules which are not enabled by default require extensive customization to configure (something I can't cover here).
+
 
+
2. Next select Network Settings and ensure all the port settings are correct.
+
 
+
3. Click on Edit Config File and make sure all your information is correct, including the HTTP_PORTS and RULE_PATH. If you're having trouble with rules not being found, try manually entering the rule path (for example, <font color=red>/etc/snort/rules/local.rules</font>) or completely removing the rule path (for example, local.rules).
+
 
+
4. Restart Snort and you're good to go. I highly recommend you check out http://www.snort.org and do a more thorough reading on Snort. You can download new rules, learn to create custom rules, and more at the official website.
+
  
 +
=References=
 +
<references/>
 
[[Category:Debian]]
 
[[Category:Debian]]
 
[[Category:Howto]]
 
[[Category:Howto]]
 
+
[[Category:Mediaserver]]
<center><font color=red>''Originally by frontalot from linkstationwiki.org''</font></center>
+

Latest revision as of 21:38, 17 August 2011

This article based on work done by Frontalot at Linkstationwiki.org

Webmin.jpg

Contents

Background

Webmin[1] is a system configuration tool for Unix-like systems. It has a web-based interface (GUI) desktop environment independent, for configuring some of the internals of the operating system. Webmin[2] is largely based on Perl, and is running as its own process, and webserver. It usually uses TCP port 10000 for communicating, and can be configured to use SSL if OpenSSL is installed. It is built around modules, which have an interface to the config files, and an interface to the webmin server. This makes it easy to add new functionality, without too much work. And due to Webmin's modular design, it would be possible, for anyone who is interested, to write plugins for desktop configuration. Webmin also allows for controlling many machines through a single interface, or seamless login on other webmin hosts in the same LAN. Primarily coded by Australian Jamie Cameron, Webmin is released under the BSD license. Webmin has a sister project, called Usermin, which is similar to Webmin[3], only designed for general usage tasks, not just administration tasks.


Install Webmin(FreeLink)

For Debian, Webmin no longer exists in the Stable repository. It was removed some time ago from unstable at the request of the maintainer. As a result it never made it into testing and at present does not exist in Etch (the current Stable)[4]

You can install webmin from a .DEB file from the webmin site[5] by installing some associated perl dependancies and the webmin dpkg.

 wget http://prdownloads.sourceforge.net/webadmin/webmin_1.560_all.deb
 apt-get install libnet-ssleay-perl  openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl apt-show-versions
 dpkg -i webmin_1.560_all.deb 

There is also a really nice theme at StressFree Solutions: the Webmin 'Tiger' theme[6] It features a graphical look, high colour icons, dropdown menus and an AJAX search tool for locating Webmin modules quickly. It's free but you should consider supporting him on his site if you use it. The following bit should automatically install this theme.

 wget http://www.stress-free.co.nz/files/theme-stressfree.tar.gz
 tar -C /usr/share/webmin -xvzf theme-stressfree.tar.gz 
 sed -e 's@^preroot.*$@preroot=theme-stressfree@' < /etc/webmin/miniserv.conf > /tmp/file 
 cat /tmp/file > /etc/webmin/miniserv.conf 
 sed -e 's@^theme.*$@theme=theme-stressfree@' < /etc/webmin/config > /tmp/file 
 cat /tmp/file > /etc/webmin/config 
 /etc/webmin/restart

Installing Modules

Once you have downloaded a new module as a .wbm file, enter the Webmin Configuration module and click on the Webmin Modules button. Then use the form at the top of the page to install the module either from the local filesystem of the server Webmin is running on, or uploaded from the client your browser is on.

Take a look at the Webmin Wiki for more information [7]



Give your clients a boost

Edit your /etc/hosts file to add all LAN & external hosts you plan to login from. This is optional but will give you a faster connection.

/etc/hosts:

127.0.0.1 Linkstation localhost <= should be there already
192.168.0.100 MyPc1
192.168.0.101 MyPc2
...

Allow your IP address

The file you need to modify is /etc/webmin/miniserv.conf , in particular the allow= or deny= lines. If the allow= line exists, it contains a list of all addresses and networks that are allowed to connect to Webmin. Similarly, the deny= line contains addresses that are not allowed to connect. After modifying this file, you need to run /etc/webmin/stop ; /etc/webmin/start for the changes to take effect. Naturally, the file can only be edited by the root user.

Example:

allow=0.0.0.0

will allow all users from anywhere to login

Log in to Webmin as root

using the current root password. The default port is 10000.

Select the Webmin Configuration icon

Adjust the settings. I highly recommend changing the port to something other than 10000, limiting access to your IP address(es), using SSL encryption (disable non-SSL access), enabling password timeouts and session authentication, and using MD5 encryption for passwords.

Ensure everything is correct

Also, select System, then Disk and Network Filesystems, and ensure everything is correct (such as the swap space being enabled). NOTE: For extra security you can disable Webmin when it's not needed and enable it when it is needed. Use the commands:
/etc/webmin/stop
/etc/webmin/start

Look at the webmin faq for more info[8]

Configuring Modules

Configuring Samba

  1. Click on the Servers tab, then click on the Samba icon.
  2. Let's start by configuring some settings and tuning the performance variables. Click on the Unix Networking Options icon. Here is a good base configuration:
    1. Idle time before disconnect - Never
    2. Trusted hosts/users file - None
    3. Network interfaces - Automatic
    4. Keepalive packets - Don't send any Send every Secs
    5. Maximum packet size - Default Bytes
    6. Listen on address - All
    7. Socket options - TCP_NODELAY, IPTOS_LOWDELAY, SO_SNDBUF 4096
  3. Click save after each completing each section. Remember this is only a base configuration and you may need to adjust them for your particular system and needs. Now click on the Windows Networking Options icon. Make sure your correct workgroup is entered. You shouldn't need to change any other settings.
  4. Now click on the Authentication icon. Select yes for encrypted passwords, no to null passwords, and no to change Unix passwords.
  5. Select Miscellaneous Options. The following is a good base configuration:
    1. Debug Level - Default
    2. Cache getwd() calls? - Yes
    3. Lock directory - Default
    4. Log file - Default
    5. Max log size - 1,000 kB
    6. Allow raw reads? - Yes
    7. Allow raw writes? - Yes
    8. Overlapping read size - Default
    9. chroot() directory - None
    10. Path to smbrun - Default
    11. Client time offset - 0 Mins
    12. Read prediction? - No
  6. It may sound incorrect, but do not select read prediction as it actually decreases performance in most situations.
  7. Next click on Convert Unix Users to Samba Users and do just as the title implies.
  8. Select Edit Samba Users and Passwords and make sure to enable the accounts you wish to use and disable the accounts you don't wish to use.
  9. Then click on Create a New File Share and create a file share via the user you wish to own this share (not root). Make sure that this user has the appropriate permissions to create the share. This is the number one problem users encounter so I will repeat it one more time: Make sure that this user has the appropriate permissions to create the share.
  10. Select Security and Access Control and customize the permissions to your needs.
  11. Click on Restart Samba Servers and you're done!

Configuring Apache

  1. You can configure Apache through Webmin by selecting Servers, then clicking the Apache icon. However, I find it much easier to edit the /etc/apache/httpd.conf file[9]. Everything is clearly documented and virtually idiot-proof.

Configuring MySQL

  1. Select Servers, MySQL Database Server, User Permissions, and update the usernames and passwords. Don't delete the default Debian account!
  2. Select Backup Databases and set up a backup schedule. This is very, very important (lest you wish to start from scratch)!
  3. You can manually add/delete databases, tables, and so on. However, most programs will automatically create their necessary tables and only require that you create an appropriate user.

Configuring Snort

  1. Select Servers then Snort IDS. Enable or disable the rules you want. Most rules are enabled by default and will work as such; the rules which are not enabled by default require extensive customization to configure (something I can't cover here).
  2. Next select Network Settings and ensure all the port settings are correct.
  3. Click on Edit Config File and make sure all your information is correct, including the HTTP_PORTS and RULE_PATH. If you're having trouble with rules not being found, try manually entering the rule path (for example, /etc/snort/rules/local.rules) or completely removing the rule path (for example, local.rules).
  4. Restart Snort and you're good to go. I highly recommend you do a more thorough reading on Snort. You can download new rules, learn to create custom rules, and more at the official website[10].

References

  1. Wikipedia:Webmin
  2. Webmin website
  3. Usermin website
  4. Debian Bug report logs - #343897 ftp.debian.org: Please remove all webmin related packages
  5. http://webmin.com/
  6. StressFree Solutions: Webmin 'Tiger' theme
  7. Docs for Webmin
  8. Webmin:Frequently Asked Questions
  9. An Example /etc/apache/httpd.conf
  10. Snort - the de facto standard for intrusion detection/prevention