Last week my company was making some server changes which necessitates a security check. Being a start-up, we cannot afford a format ethical hack/penetration testing, so the next best thing is an automated security tool. I tried using Nessus from Windows, but it failed miserably. Upon recommendation from a friend in the security field, we decided to try out automated testing services offered by Qualys (a review is forthcoming).
Surprisingly enough, when we ran the test, we found a very severy security hole in an unexpected place – Webmin running on this server. Now it turns out that Webmin is well known for having common security issues (see their security page). My suprise was not the security flaw, but rather that we were running an old unpatched version. I promptly called our host, which is Rackspace to ask them what happened. Since day one when we switched to them, our server updates the OS on a daily basis, specifically avoiding this scenario. Additionally, we did not install Webmin on the server – rather Rackspace did before they provisioned it.
Guess what they told me? Since the specific OS that we used does not include Webmin in their official package list, the version of Webmin that they install is a custom package they make by hand. And the worst part – THEY DO NOT UPDATE IT AUTOMATICALLY, nor do they even have a central repository for this kind of stuff – each technician builds the packages themselves. Being that we are paying through the nose for their hosting and support, this was a jarring piece of news, especially considering that this hole has been there for over a year and could have severely compromised our server and by extensions our business.
So the bottom line – don’t trust your host with everything. And if you are using Rackspace, do ask them about their custom packages and RPMs, especially on enterprise Linuxes such as RHEL since Webmin is installed by default.
P.S. A different solution that was suggested to me is to make Webmin check for updates itself on a regular basis. The only issue we have with that is the fact that I am not sure if it checks the digital signatures.
P.P.S. Another solution is to close off Webmin all together to the outside and use SSH tunnelling. A bit more complicated but a lot more secure.