I am strongly against webmin use in a production environment
but that’s just me… If you are one of the folks who uses webmin for fun or profit and it is exposed to the intertubes take note:
https://sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/
I strongly recommend that if you DO want to use Webmin you change the port it runs on
sed -i ‘s/10000/23765/g’ /etc/webmin/miniserv.conf&&service webmin restart
for example, you will avoid the drive-bys and your firewall would have already caught the port scanners, right? And of course keep your software updated, Webmin now at 1.7
A firewall isn’t going to stop somebody with access to the nmap man page and about an hour to read through the options.
As I said already a decent firewall will notice nmap pointed at it within “name that tune . . .” iterations, It’s called “port-scanning”
Don’t open Webmin to the Internet. Keep it at the most current version. If extra paranoid, start and stop it as needed.
I tried your MitM attack against my firewall which created in iptables among other port specific protections:-
CONNLIMIT tcp opt – in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:23765flags: 0x17/0x02 #conn src/32 > 1
I don’t believe the stealthy guy got much back from me, perhaps you know better.