Webmin to remotely administer your LinkStation

From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 03:27, 19 August 2006 by Ramuk (Talk | contribs)

Jump to: navigation, search

This article based on work done by Frontalot at Linkstationwiki.org

Webmin.jpg

Contents

Background

Webmin[1] is a system configuration tool for Unix-like systems. It has a web-based interface (GUI) desktop environment independent, for configuring some of the internals of the operating system. Webmin[2] is largely based on Perl, and is running as its own process, and webserver. It usually uses TCP port 10000 for communicating, and can be configured to use SSL if OpenSSL is installed. It is built around modules, which have an interface to the config files, and an interface to the webmin server. This makes it easy to add new functionality, without too much work. And due to Webmin's modular design, it would be possible, for anyone who is interested, to write plugins for desktop configuration. Webmin also allows for controlling many machines through a single interface, or seamless login on other webmin hosts in the same LAN. Primarily coded by Australian Jamie Cameron, Webmin is released under the BSD license. Webmin has a sister project, called Usermin, which is similar to Webmin[3], only designed for general usage tasks, not just administration tasks.

Install Webmin(FreeLink)

Using Debian's apt-get package installer Install Webmin and its related packages. This will install the core features, the CPAN interface (for installing Perl modules), a java-based file manager, and firewall (iptables) manager. Use the command:

apt-get install webmin webmin-core webmin-cpan webmin-inetd webmin-logrotate webmin-firewall

Install Webmin Modules

  • If you installed OpenSSH:
apt-get install webmin-sshd
  • If you installed Samba:
apt-get install webmin-samba
  • If you installed Apache:
apt-get install webmin-apache webmin-htaccess 
  • If you installed MySQL:
apt-get install webmin-mysql webmin-exim 
  • If you installed Snort:
apt-get install webmin-snort 

Allow your IP address

The file you need to modify is /etc/webmin/miniserv.conf , in particular the allow= or deny= lines. If the allow= line exists, it contains a list of all addresses and networks that are allowed to connect to Webmin. Similarly, the deny= line contains addresses that are not allowed to connect. After modifying this file, you need to run /etc/webmin/stop ; /etc/webmin/start for the changes to take effect. Naturally, the file can only be edited by the root user.

Log in to Webmin as root

using the current root password. The default port is 10000.

Select the Webmin Configuration icon

Adjust the settings. I highly recommend changing the port to something other than 10000, limiting access to your IP address(es), using SSL encryption (disable non-SSL access), enabling password timeouts and session authentication, and using MD5 encryption for passwords.

Ensure everything is correct

Also, select System, then Disk and Network Filesystems, and ensure everything is correct (such as the swap space being enabled). NOTE: For extra security you can disable Webmin when it's not needed and enable it when it is needed. Use the commands:
/etc/webmin/stop
/etc/webmin/start

Look at the webmin faq for more info[4]

Configuring Modules

Configuring Samba

  1. Click on the Servers tab, then click on the Samba icon.
  2. Let's start by configuring some settings and tuning the performance variables. Click on the Unix Networking Options icon. Here is a good base configuration:
    1. Idle time before disconnect - Never
    2. Trusted hosts/users file - None
    3. Network interfaces - Automatic
    4. Keepalive packets - Don't send any Send every Secs
    5. Maximum packet size - Default Bytes
    6. Listen on address - All
    7. Socket options - TCP_NODELAY, IPTOS_LOWDELAY, SO_SNDBUF 4096
  3. Click save after each completing each section. Remember this is only a base configuration and you may need to adjust them for your particular system and needs. Now click on the Windows Networking Options icon. Make sure your correct workgroup is entered. You shouldn't need to change any other settings.
  4. Now click on the Authentication icon. Select yes for encrypted passwords, no to null passwords, and no to change Unix passwords.
  5. Select Miscellaneous Options. The following is a good base configuration:
    1. Debug Level - Default
    2. Cache getwd() calls? - Yes
    3. Lock directory - Default
    4. Log file - Default
    5. Max log size - 1,000 kB
    6. Allow raw reads? - Yes
    7. Allow raw writes? - Yes
    8. Overlapping read size - Default
    9. chroot() directory - None
    10. Path to smbrun - Default
    11. Client time offset - 0 Mins
    12. Read prediction? - No
  6. It may sound incorrect, but do not select read prediction as it actually decreases performance in most situations.
  7. Next click on Convert Unix Users to Samba Users and do just as the title implies.
  8. Select Edit Samba Users and Passwords and make sure to enable the accounts you wish to use and disable the accounts you don't wish to use.
  9. Then click on Create a New File Share and create a file share via the user you wish to own this share (not root). Make sure that this user has the appropriate permissions to create the share. This is the number one problem users encounter so I will repeat it one more time: Make sure that this user has the appropriate permissions to create the share.
  10. Select Security and Access Control and customize the permissions to your needs.
  11. Click on Restart Samba Servers and you're done!

Configuring Apache

  1. You can configure Apache through Webmin by selecting Servers, then clicking the Apache icon. However, I find it much easier to edit the /etc/apache/httpd.conf file[5]. Everything is clearly documented and virtually idiot-proof.

Configuring MySQL

  1. Select Servers, MySQL Database Server, User Permissions, and update the usernames and passwords. Don't delete the default Debian account!
  2. Select Backup Databases and set up a backup schedule. This is very, very important (lest you wish to start from scratch)!
  3. You can manually add/delete databases, tables, and so on. However, most programs will automatically create their necessary tables and only require that you create an appropriate user.

Configuring Snort

  1. Select Servers then Snort IDS. Enable or disable the rules you want. Most rules are enabled by default and will work as such; the rules which are not enabled by default require extensive customization to configure (something I can't cover here).
  2. Next select Network Settings and ensure all the port settings are correct.
  3. Click on Edit Config File and make sure all your information is correct, including the HTTP_PORTS and RULE_PATH. If you're having trouble with rules not being found, try manually entering the rule path (for example, /etc/snort/rules/local.rules) or completely removing the rule path (for example, local.rules).
  4. Restart Snort and you're good to go. I highly recommend you do a more thorough reading on Snort. You can download new rules, learn to create custom rules, and more at the official website[6].

References

  1. Wikipedia:Webmin
  2. Webmin website
  3. Usermin website
  4. Webmin:Frequently Asked Questions
  5. An Example /etc/apache/httpd.conf
  6. Snort - the de facto standard for intrusion detection/prevention