In last week's article, we installed the Webmin utility; this week, I want to start by configuring Webmin for secure access, then take a peek at some of the powerful features that come with the Webmin modules.
Open up your web browser and type in the URL you use to access your Webmin server. Once you've been authenticated, you should see this screen in your web browser.
By the way, most of the screenshots I'm using come from Joe Cooper's Webmin User's Guide. Joe's site is well worth reading through if you want to learn more about using Webmin. The rest of the screenshots are from Webmin's homepage.
Let's start with the "Webmin Configuration" hyperlink. This is where you'll be able to configure most of the additional security measures, which will be especially useful if you are accessing your Webmin server over the Internet. You'll want to poke about yourself, but here's a quick summary of the security related options:
IP Access Control: If you always access your Webmin server from the same computer or group of computers, you can tell Webmin to only accept connections from that/those computer/s. The default is to accept connections from any computer in the world that happens to know your IP address or FQDN and Webmin port number.
Port and Address: If your computer has more than one IP address, Webmin will bind its port to all IP addresses, meaning it will be listening for requests on all the NICs on the computer hosting the Webmin server. If you don't want it to do that, you can tell Webmin which IP address to listen on. For example, if your Webmin server has an interface connected to your LAN and another interface connected to the Internet, you can use this screen to only bind the Webmin port to the NIC attached to your LAN. This will restrict Webmin access to computers from within your LAN. Also, if you ever want to change the listening port number, this is where you do it.
Logging: It is always good practice to log connections, and then take the time to actually read the logs. By doing this, you will know if anyone other than yourself is trying to access your Webmin server. By default, logging is disabled; use this screen to enable it. Note the location of the log files. You may want to create a cron job to mail the log to the root user account on a daily basis.
Proxy Servers: If your Webmin server is located behind a firewall, you may need to configure the IP address of the firewall in order for users to access certain modules on your Webmin server.
SSL Encryption: If you didn't install Webmin with SSL support, this is where you can enable this support if you later decide to. Again, this is strongly recommended if you are accessing Webmin over the Internet.
Note: If you ever screw up your configuration and are no longer able to access your Webmin server, all is not lost. Become the superuser on the computer running Webmin, look for and then edit the offending configuration in the
Now, let's "Return to index" and click on the "Webmin Users" link. You should see something like this, with the user you created next to a listing of all the Webmin modules that user is allowed to access. If you ever decide to give another user access to your Webmin server, you have very fine control over what that user will be able to view and modify. For example, if you click on the "Sendmail Configuration" link, you can specify which configuration files that user can modify, and whose e-mail he is allowed to read.
If you spend some time clicking on the modules in this section, you'll get an idea of what you're capable of doing to the FreeBSD computer running the Webmin server. Aren't you glad you created a non-intuitive username and hard to guess password, and you're reading the logs of all connection attempts?
Now let's see what type of work we can do from the Webmin interface. Return to the index and click on the "System" tab, which should give you something like this. Let's start by clicking on the "Software Packages" link. You should receive the graphical equivalent of the
pkg_info command. Now click on one of your packages to read its description and the date it was installed. Those who've been around FreeBSD for a while may not be impressed, as this is the equivalent of
cd-ing into that port's directory and doing a
more pkg/DESCR. Try clicking on the "List Files" button. Ever install a port and wonder where it put everything and what all it created on your FreeBSD system? Wonder no more, as you now have a list of all the files that were installed with that port, as well as their locations, size, and ownership.
Once you're finished poking about, return to the index and click on the "Running Processes" hyperlink. This is just a graphical output of the
ps command, but I love its layout. All running processes can be sorted by PID, user, memory, and CPU. If you sort by PID, you'll receive a tree-like structure, with every child process slightly to the right of its parent process. Each process has a hyperlink to further details about that process. If you need to send a signal to a process, you can click on the TERM button to choose the type of signal. (Do a
man 1 kill to learn more about signals -- and never kill a process if you don't know what that process does).
Return to the index and click on the "Scheduled Cron Jobs" hyperlink to see something like this. You will receive a listing of all users' cronjobs. You can edit and create new cronjobs using this interface. If you are a visual person, you may find it easier to click on the desired time slots rather than remembering where to place the right number in
vi using the
Return to the index and click on "Users and Groups." If you haven't yet figured out what users and groups get installed with FreeBSD, here's your chance to see them all. Click on an existing user to see their details. Note that you can change a user's login shell or home directory and set password restrictions and account expiry from this screen. Go back a screen and click on "Create a new user." You have more options in this screen than in the equivalent
The last link I want to look at in the System tab is "System Logs." If you click on this link, you'll get a listing of all your system logs and their locations. If you click on one of the logs, you can set its logging facilities and priorities. Even handier, you can click the "View logfile" button. It will display the last 20 lines by default, but you can change this by typing in another number and pressing the "Refresh" button.
Return to the Index and click on the "Servers" tab. This is where you'll see that Webmin is a utility you can grow into as you learn more about your FreeBSD system. As you learn how to build and administer Apache Web servers, BIND DNS servers, MySQL database servers, Samba servers, and Squid proxy servers, you'll have a nice GUI interface to access their configuration files either locally or remotely. None of the servers I just mentioned are built by default, but they can all be added using FreeBSD's ports collection.
I would like you to click on the hyperlink for "Sendmail Configuration," as a working Sendmail server is installed with your FreeBSD system. You should get a screenful of configuration hyperlinks; however, you won't want to muck about with these unless you know what you're doing. For now, you might just want to take note that each hyperlink is much more user-friendly than the sendmail configuration file.
The hyperlink I'd like to look at is the one labeled "User Mailboxes." When you click on this link, you'll receive a table showing all users and how much mail (in bytes) is in their mailbox. Very handy to see which users on your system aren't deleting their mail. If you click on a user, you will see all of their e-mail messages. You can click on a message to read, reply, forward, or delete it. This could provide a very handy way for users to access their e-mail from a browser on any computer with an Internet connection. It would just be a matter of creating another username and password to the Webmin server, and removing that user from all modules except "Sendmail Configuration" in the "Webmin Users" link under the "Webmin" tab. Don't forget to change all the default yes-es to no-s and only give them permission to read their own e-mail.
Let's return to the Index and click on the "Hardware" tab. Then click on "Network Configuration," then "Network Interfaces." This screen shows your current configurations and which interfaces are configured to run at boot time. If you click on an interface, you can change its IP address, subnet mask, and toggle its status as being up or down. If you return to the "Network Configuration" screen, you'll also see hyperlinks to change your default gateway, edit
/etc/resolv.conf, and edit
/etc/hosts via a GUI screen.
Let's return to the Index and click on the "Webmin" tab and the "Webmin Configuration" hyperlink, then the "Webmin Modules" link. If you scroll down to the bottom half of the screen, you'll see all of the currently installed Webmin modules. If you see any modules that you don't plan on using, you can mark and delete them; they will no longer show up in your browser when you access the Webmin server.
You can also install new modules from this screen. If you surf over to ThirdPartyModules.com, you'll get a description of modules you can install. This site is nicely laid out, as the modules have been organized into the Webmin tabs they will be installed into. The modules themselves are very small files that end with a *.wbm extension. One of my favorite add-on modules is the "Network Utilities" module that installs into the "Networking" tab. This is how I installed it:
In Netscape, I right-clicked the module to save it into this directory. I then went back to the "Webmin Modules" link, and clicked the ellipse (the button with
To see if it worked, I clicked on the "Networking" button, and I had a new hyperlink to click on. When I enter this screen, I get hyperlinks to the
dig utilities, as well as a handy IPV4 subnet calculator. If I scroll down a bit further, I have the option of typing in an IP address or hostname; I can then Ping It! Trace It! Look Up! Scan It! or Dig It! Note that the
nmap utility is the only one that is not installed by default with your FreeBSD system. If you wish, you can build it from the ports collection; please keep in mind that you can get yourself into legal trouble if you
nmap hosts other than those in your own network.
Not only can you easily add modules to your Webmin server, you can also upgrade your entire Webmin server without losing your customized configurations. Go back one screen and click on the "Upgrade Webmin" hyperlink to find the screen that allows you to do this.
Hopefully this article has piqued your interest in this powerful utility. We've also covered some concepts that may be new to you. In the next few articles I want to take a deeper look at how FreeBSD manages your system log and at what processes are and how to manipulate them.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.
Copyright © 2009 O'Reilly Media, Inc.