The magazine of the Melbourne PC User Group Using Webmin for System Administration Les Bell |
|
|
|
Windows users migrating to Linux often find the freedom of editing ASCII configuration files somewhat intimidating. You can put literally anything in those files, ranging from absolute gibberish to lines with plausible-looking - but incorrect - syntax. Occasionally, by sheer dumb luck, and reference to lots of books, HOW-TOs and man pages, one might hit the right combination and get something to work. There are no wizards, no dialogs and not much online help to keep you on the straight and narrow. Or if there are, switch distributions and everything will look different.
Enter Webmin, a Web-based system administration tool created by Jamie Cameron, a Mount Waverley (VIC) based programmer. Webmin provides a consistent interface for administration of the various parts of a *ix system.
Webmin is written in Perl, so it is architecture-independent, and runs on most Linux distributions, as well as FreeBSD, AIX and Solaris, making it attractive to big-system administrators.
Installation
For an RPM-based distribution like Red Hat, Caldera, SuSE, Lycoris, etc. the simplest way to install Webmin is to download the latest RPM package (currently Webmin-1.070-1.noarch.rpm) and then, as root, give the command:
| rpm -ivh Webmin-1.070-1.noarch.rpm |
If you are not using an RPM-based distribution, you can download a tarball.
At the end of the installation, you can fire up your Web browser, and point it
to http://localhost:10000
You should see a blue login screen. Log in as root, with your regular root
password. Once you have logged in, you will see the Webmin main page. Across the
page, just below the top, is a row of icons which represent the various
top-level pages in Webmin: Webmin (for config-uring Webmin itself), System (for
basic system configuration), Servers, Networking, Hardware, Cluster and Others.
|
|
|
On the Webmin page you will see icons for "Usermin Configuration". Usermin is a
companion program that enables users to manage some of their own settings, "Webmin
Actions Log", "Webmin Configuration", "Webmin Servers Index" (enables you to
manage multiple machines using Webmin) and "Webmin Users" (enables you to create
user accounts within Webmin, and allow them restricted access to only certain
Webmin pages).
However, the real meat is on the other top-level pages. Just click on the
"System" tab, and you'll see a range of icons that let you perform system
management tasks such as creating and managing users, doing tape backups,
setting up disk quotas, mounting and demounting file systems, and much more.
Webmin very nicely takes care of many of the low-level routine configuration
tasks that trouble Linux novices, such as management of user accounts, creating
cron jobs and setting up DHCP servers. I find it especially useful for people
getting started with that traditional ogre, sendmail - the Webmin sendmail
configuration pages have lots of online help which provide a good introduction
to the mail server (of course, Webmin supports Postfix and qmail as well).
On its Servers page, Webmin has modules for all the major - and a few minor
-servers you'll encounter in typical Linux systems: Apache, BIND, dhcpd,
Fetchmail, Majordomo, MySQL, Postfix, PostgreSQL, Procmail, qmail, SSH, Samba,
Sendmail, Squid, wu-ftpd. There's also support for some less common, but rather
interesting daemons, like the Jabber instant messaging server, CVS (including
integrated CVSWeb) and the Majordomo mailing list manager. The BIND module
illustrates how Webmin can save time even for experienced administrators; it
maintains both forward and reverse zone files automatically, saving the tedious
transposition of IP addresses.
The Networking page enables basic network configuration (interfaces, routing,
the DNS resolver, hosts file) as well as more advanced options: NFS exports,
inetd/xinetd services, a PPP dial-in server and some security-related options:
SSL tunnels and both iptables-based and Shorewall firewalls.
The Hardware page enables configuration of LILO or GRUB boot loaders, and
sophisticated disk management: you can manage conventional partitions as well as
creating RAID partitions and/or using logical volume management. Also on this
page, you'll find links for CD burning, printer administration and voice mail
server setup.
The Others page contains some interesting general-purpose tools: the Custom
Commands module lets you run your own commands and scripts, while Command Shell
lets you run ad-hoc commands. The System and Server Status page can monitor
services and e-mail or page you when they go down. Two of the modules download
Java applets to your browser: the File Manager gives you a familiar
two-panes-plus-toolbar interface for file management, while the SSH/Telnet Login
module will download a terminal emulator to your machine, should you need a
command line interface (by now, though, you should be beginning to realise that
you won't need the command line often, with Webmin!).
|
|
|
Finally, the Cluster page is a recent addition to Webmin. It allows you to
combine multiple machines into a cluster and perform some management tasks
across them all simultaneously, such as managing users/groups and maintaining
software packages. There is also a module for configuring a heartbeat monitor
for automatic failover, allowing basic HA (High Availability) configuration.
Basically, Webmin is a great set of training wheels for novice administrators -
I've used it in networking classes where people who had never seen Linux before
were setting up quite complex intranets, and they loved it! However, even
experienced administrators sometimes need to get a new service running for the
first time, and Webmin can be very helpful here.
Advanced Features
There are many other reasons why even the most experienced administrators will
enjoy Webmin, though.
Webmin can function as a proxy - you can make an encrypted connection to a
firewall and then, through it, manage machines on the intranet behind the
firewall. This is great if you are providing management services for clients,
branch offices or even family members!
The Custom Commands module lets you run your own scripts and have the output
sent back as a Web page. I use this feature to remotely manage Lotus
Domino servers, display network statistics, etc.
You want a command line, but are on a borrowed Windows machine? Webmin
incorporates a Java Telnet (or better still, SSH) client, that will download to
your browser and run automatically. This won't always work - one reason I use
Webmin is that I am sometimes working on the inside of other people's firewalls
and can't SSH to my office systems because the firewall blocks the SSH protocol.
However, everyone allows access to the Web, and so I can use Webmin for most
administration tasks. But if the SSH protocol is blocked, then this applet won't
work. Oh well, can't have everything, I guess.
Administration of user accounts on Samba servers is greatly simplified: Webmin
can be configured to automatically synchronize users' Linux/UNIX and Samba
passwords, so that there is no need to deal with the smbpasswd command. This
synchronization feature also extends to automatic creation of SSH keys when
users are added.
The use of Webmin user accounts (not to be confused with UNIX user accounts)
enables you to delegate some system administration tasks without sharing the
root password, and Webmin logs who changed what, and when.
Finally, Webmin overcomes one other design issue that makes some other admin
tools completely unusable:
Webmin directly edits the files in /etc and does not maintain its own
configuration database. There is no problem with doing some tasks via Webmin and
others via a shell prompt and vi. So you can use Webmin to get started, then go
in and "get down and dirty" with the configuration files, and nothing will
break.
But Wait! - There's More!
Realizing that many of the features in Webmin would be attractive to users,
Jamie Cameron has gone on to create Usermin. This provides a Web interface than
enables allows users to change their passwords, edit their own login scripts,
deal with e-mail, edit files, set up cron jobs and so on. Webmin includes a
module which allows administrators to configure and manage Usermin, so you can
restrict the level of autonomy that users have.
The combination of Webmin and Usermin works really well, and significantly
reduces admin workload.
Then there are the third-party modules - 227 of them at last count. These cover
all kinds of subsystems, such as LDAP user administration, fax server
configuration, Snort IDS configuration - you name it. Most are free and GPL
licensed, some are commercial, and of course quality is variable, but the
chances are that whatever you want to manage, there's a Webmin module for it.
And there are also downloadable themes, so you can change the appearance of your
Webmin pages!
Security
Webmin is pretty much forced to run as root, since many of the administration
tasks it performs (editing files in /etc, restarting daemons, etc.) can only be
performed with root privileges.
Make sure that you choose strong pass phrases for your Webmin accounts. If
someone can guess or otherwise acquire your Webmin password, they can use it to
reconfigure your system. The HTTP protocol will pass your password in every
request, as plain text that can be sniffed using a variety of tools. This might
be an acceptable risk on a small LAN, but on Internet-accessible hosts, Webmin
access should be via SSL.
To enable SSL, you will need to install the Net::SSLeay Perl module. The easiest
way to do this is via the Perl CPAN module:
| perl -MCPAN -e shell |
If this is the first time you have used this module, you will have to answer a series of configuration questions. In almost all cases, you can just press Enter to accept the defaults - the exception is where you specify your location and select the CPAN mirrors you want to access. Once you get to the CPAN shell prompt, give the command:
| install Net::SSLeay |
This will download and compile, then install, the Net::SSLeay module. If it fails its tests because one of the SSL servers it wants to use for test purposes is not operational, then use the command:
| force install Net::SSLeay |
Once the Net::SSLeay module has been installed, you should go to the Webmin
configuration page, and turn on SSL support. Because Webmin uses a self-signed
certificate by default, the first time you log in using an https:// URL, your
browser will complain about the certificate it presents - but you can tell the
browser to accept this certificate in the future and all will be well.
I strongly recommend that you subscribe to the Webmin mailing list, so that you
will be advised as soon as any vulnerability is discovered, Should you become
aware of a vulnerability, you should immediately upgrade to a fixed version, or
disable Webmin for the meantime. For example, a vulnerability was discovered in
Webmin versions up to and including 1.060 and so all users should upgrade to at
least 1.070. However, there is nothing to suggest that this vulnerability was
ever exploited by anyone, or indeed, that an exploit exists.
Conclusions
For my money, as someone who spends a lot of time teaching Linux to novice
system administrators, Webmin is the greatest thing since sliced bread. There is
no doubt that the more you know about Linux (or UNIX) the more you can do -but
all that training takes time, and in the meantime, your employer wants results
now. Webmin can get novices started quickly - but its advanced features offer
some unique benefits that will keep the experienced administrator using Webmin,
too.
I don't rate software in terms of stars, but for Webmin, I'll make an exception:
Five Stars!
Webmin (and Usermin) can be downloaded from http://www.webmin.com.
About the Author
Les Bell is a Sydney consultant, lecturer and author who designs Linux-based
intranets and business applications. When he's not teaching Linux courses for
IBM or ALC Training, he also works in the area of information assurance (the new
term for computer security). He particularly likes single malt Scotch whiskies.
Reprinted from the May 2003 issue of PC Update, the magazine of Melbourne PC
User Group, Australia
