A 26 MB Linux Panel, 28‑Year Legacy, Over 1 Million Deployments: Manage Servers Entirely via Browser, No SSH
The article presents a detailed analysis of Webmin, an open‑source Linux server‑management panel that runs with only ~100 MB memory, offers 116 native modules for full‑stack operations, compares its transparent architecture and low system intrusion against packaged panels, outlines known CVE vulnerabilities, provides a four‑step hardening guide, and includes step‑by‑step installation commands.
Core Architecture
Webmin is a Perl‑based server‑management panel. The installation package is 26 MB, idle RAM usage is about 100 MB, and CPU consumption is near zero without requests. It reads and writes native system configuration files directly (e.g., /etc/passwd, /etc/nginx/conf.d, iptables/nftables rules) without an intermediate layer, so uninstalling leaves the original system untouched. The project is released under the BSD license, provides 116 official modules that are extensible, and has three official derivative projects:
Virtualmin : a hosting‑oriented suite on top of Webmin, comparable to cPanel, supporting multi‑site, email, DNS, and batch management; deployed in over 150 k installations worldwide.
Usermin : a lightweight version for regular users, exposing only password changes, mail, and file management without system‑level operations.
New UI in 2.6xx Series
Version 2.6xx replaces the legacy gray‑table interface with the “Authentic Theme”. Features include dark/light mode toggle, rounded buttons, spacious layout, Canvas‑rendered real‑time CPU/memory/disk charts, a collapsible left sidebar, and a global search box that jumps directly to modules such as firewall, Nginx, or cron jobs. The UI is fully responsive on mobile browsers.
Built‑in tools:
Filemin : HTML5 file manager with drag‑and‑drop upload, batch delete/unzip, and right‑click editing of configuration files.
Xterm.js : in‑browser terminal providing a complete shell for log viewing and command execution.
Official Module Coverage
Modules are grouped into three categories.
System‑level management : user/group creation (single or CSV batch), native apt/yum/dnf package management, cron job editor with syntax validation and failure notifications, hardware monitoring (process kill, disk partition, SMART health, log search).
Service deployment : Nginx/Apache virtual host configuration, SSL certificate handling, reverse proxy, MPM tuning, database management (MySQL/MariaDB, PostgreSQL) with graphical schema creation and bulk SQL execution, mail/DNS services (BIND, Postfix/Sendmail, Dovecot), file and secure transfer services (ProFTPD, SAMBA, Fail2Ban), enterprise services (DHCP, LDAP, NIS).
Network & security : native support for iptables, firewalld, nftables (v2.640), visual firewall rule editing, IP configuration, real‑time bandwidth monitoring, built‑in ACME client for Let’s Encrypt certificates.
Security Risks and Hardening
Two high‑severity post‑authentication vulnerabilities have been disclosed:
CVE‑2024‑12828 – CGI command injection allowing root escalation.
CVE‑2025‑2774 – CRLF injection leading to remote privilege escalation.
Both require a successful panel login; patches were released within days, reducing exposure compared with panels that expose unauthenticated RCE bugs.
Recommended hardening steps:
Change the default port 10000 to a random five‑digit port.
Enable two‑factor authentication (Google Authenticator or Authy).
Deploy trusted SSL certificates via the built‑in ACME client, replacing self‑signed certificates.
Restrict access with an IP whitelist (office or mobile IPs only).
Side‑by‑Side Comparison
Webmin – native read/write of system config, very low system intrusiveness (no residue after uninstall), medium site‑building ability (manual site setup), very strong low‑level ops (116 modules), suited for ops engineers and multi‑server admins; UI is engineering‑focused with a steep learning curve.
宝塔 / aaPanel – encapsulated middle layer, very high intrusiveness (modifies system paths), very strong one‑click LNMP/WP site building, weak low‑level ops (core logic hidden), suited for site owners and beginners; frequent unauthenticated RCE vulnerabilities.
Cockpit – systemd native integration, zero intrusiveness, no site‑building ability, basic monitoring only, suited for simple monitoring and container ops; lacks web, DB, DNS management.
Virtualmin – Webmin‑based suite, low intrusiveness, very strong hosting‑oriented site building (cPanel‑like), inherits Webmin capabilities, suited for hosting providers and multi‑customer virtual hosts; pure hosting experience weaker than commercial cPanel.
Installation Guide
Prerequisites: Perl 5.10+ installed; supports Ubuntu/Debian/CentOS/RHEL.
Download the official package from https://webmin.com/download and install:
curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sh setup-repos.sh
apt update && apt install webmin -yFor CentOS/RHEL:
curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sh setup-repos.sh
dnf install webmin -yAccess the panel at https:// server‑ip :10000 using root credentials, then apply the four hardening steps before using business modules.
Typical Combination
Some operations teams run Webmin together with a container‑focused panel (e.g., 1Panel). Webmin handles low‑level tasks (firewall, accounts, disks, cron, security) while the other panel provides container management and one‑click site deployment. The panels do not conflict.
Resources
Official documentation: https://webmin.com/docs
Community forum: https://forum.virtualmin.com
GitHub repository: https://github.com/webmin/webmin
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
AI Architecture Path
Focused on AI open-source practice, sharing AI news, tools, technologies, learning resources, and GitHub projects.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
