Webmin: The Complete Setup Guide
Install Webmin on Debian/Ubuntu and RHEL-family Linux, configure core modules, and harden it with TLS, 2FA, and IP restrictions for production use.
Before you start
- ▸A Linux server with a non-root sudo user or root access
- ▸A fully qualified domain name (FQDN) pointing to the server if you want Let's Encrypt TLS
- ▸Outbound HTTPS access from the server to download the Webmin repository
- ▸Basic familiarity with systemd and your distribution's package manager
Webmin is a browser-based system administration panel that exposes most of what you'd otherwise do on the command line — user accounts, package management, DNS, cron, firewalls, SSL certificates — through a structured web UI. It is not a replacement for understanding Linux, but it is a legitimate productivity tool for managing servers, especially when you're handling a mix of tasks across multiple machines. This guide walks through installation on Debian/Ubuntu and RHEL-family systems, initial hardening, and a tour of the modules you'll actually use.
Adding the Webmin Repository
Webmin maintains its own signed repository. Installing from it — rather than a downloaded .deb or .rpm — means you get automatic updates through your normal package manager.
Debian and Ubuntu
curl -fsSL https://download.webmin.com/jcameron-key.asc \
| sudo gpg --dearmor -o /usr/share/keyrings/webmin.gpg
echo "deb [signed-by=/usr/share/keyrings/webmin.gpg] \
https://download.webmin.com/download/repository sarge contrib" \
| sudo tee /etc/apt/sources.list.d/webmin.list
sudo apt update && sudo apt install -y webmin
Note: The suite name sarge is intentional — Webmin has used that label since its Debian packaging began and has not changed it. It works correctly on all modern Debian and Ubuntu releases.
Fedora, RHEL, Rocky Linux, and AlmaLinux
sudo tee /etc/yum.repos.d/webmin.repo <<'EOF'
[Webmin]
name=Webmin Distribution Neutral
baseurl=https://download.webmin.com/download/yum
enabled=1
gpgcheck=1
gpgkey=https://download.webmin.com/jcameron-key.asc
EOF
sudo dnf install -y webmin
On RHEL 8/9 and clones, you may need the perl package group if Perl is not already present:
sudo dnf install -y perl
Starting and Enabling the Service
Webmin installs and registers a systemd unit named webmin.
sudo systemctl enable --now webmin
sudo systemctl status webmin
You should see active (running). Webmin listens on TCP port 10000 by default.
Opening the Firewall
Pick the command that matches your active firewall. Only do this if you intend to access Webmin remotely; for local-only access, skip this section and use an SSH tunnel instead (covered below).
firewalld (Fedora, RHEL family)
sudo firewall-cmd --permanent --add-port=10000/tcp
sudo firewall-cmd --reload
ufw (Ubuntu / Debian)
sudo ufw allow 10000/tcp
sudo ufw reload
nftables (manual setup)
sudo nft add rule inet filter input tcp dport 10000 accept
Make that rule persistent by adding it to your /etc/nftables.conf ruleset.
First Login
Open a browser and navigate to:
https://YOUR_SERVER_IP:10000
Webmin generates a self-signed TLS certificate on installation, so your browser will warn you. Accept the exception for now — you'll replace this certificate shortly. Log in with the root account or any user with sudo privileges that Webmin has been configured to accept. On most systems, root works immediately.
If root login is disabled on your system, Webmin can authenticate via PAM. Navigate to Webmin → Webmin Users and add a Unix user with full or scoped privileges.
Core Modules Worth Knowing
Webmin organises functionality into modules across several top-level categories. These are the ones you'll reach for most often:
- System → Software Packages — Search, install, and remove packages through APT or DNF, depending on the host OS.
- System → Users and Groups — Create and manage local users, set passwords, control group membership and shell access.
- System → Scheduled Cron Jobs — Full crontab editor per user, with a human-readable schedule builder.
- System → System Logs — Tail and search
journaldand traditional log files without leaving the browser. - Networking → Linux Firewall — A front-end for nftables or iptables rules. Use with care; incorrect rules can lock you out.
- Servers → Apache Webserver / Nginx — These modules appear only if the relevant daemon is installed. They expose virtual host config, SSL bindings, and module management.
- Webmin → Webmin Configuration → SSL Encryption — Where you import or request Let's Encrypt certificates.
Securing Webmin for Production
A default Webmin installation is functional but not hardened. The steps below are not optional for any internet-facing server.
Replace the Self-Signed Certificate with Let's Encrypt
If your server has a public FQDN with DNS pointing to it, Webmin can request a certificate directly. Go to Webmin → Webmin Configuration → SSL Encryption → Let's Encrypt. Enter your domain, ensure port 80 is reachable for the HTTP-01 challenge, and click Request Certificate. Webmin restarts automatically and uses the new cert.
Alternatively, if you already manage certificates with Certbot externally:
sudo certbot certonly --standalone -d webmin.example.com
Then point Webmin at the resulting files under SSL Encryption → Certificate and key files.
Restrict Access by IP Address
Under Webmin → Webmin Configuration → IP Access Control, you can whitelist specific IP ranges. If your admin workstation has a static IP, this is a high-value control — it stops brute-force attempts before they even reach the login prompt.
Enable Two-Factor Authentication
Navigate to Webmin → Webmin Configuration → Two-Factor Authentication. Webmin supports TOTP (compatible with Google Authenticator, Authy, and any RFC 6238-compliant app) and Authy natively. Enable it per-user or globally. This is important — Webmin has broad system access, and a compromised password without 2FA is a full server compromise.
Change the Default Port
Automated scanners hit port 10000 constantly. Changing the port does not add real security but it dramatically reduces log noise. Go to Webmin → Webmin Configuration → Ports and Addresses and set a high unpredictable port. Update your firewall rule to match.
Use an SSH Tunnel Instead of Direct Exposure
The most secure option for personal or small-team use is to leave port 10000 closed entirely and tunnel through SSH:
ssh -L 10000:localhost:10000 user@your-server -N
Then open https://localhost:10000 in your browser. Nothing is exposed to the internet. This is the recommended approach when only one or two admins need access.
Disable Root Login (and Use a Dedicated Admin User)
In Webmin → Webmin Users, create a dedicated Webmin user mapped to a system account with sudo rights. Then under Webmin Configuration → Authentication, consider enabling the option to block root logins to Webmin directly. This limits blast radius if credentials leak.
Verifying the Installation
Run these checks after setup:
sudo systemctl is-active webmin
sudo ss -tlnp | grep 10000
The first should return active. The second should show Webmin listening on the expected port. If the port differs from 10000, check /etc/webmin/miniserv.conf for the port= line.
grep ^port /etc/webmin/miniserv.conf
Troubleshooting
Browser Says Connection Refused
Check the service is running (systemctl status webmin) and that the firewall allows the port. Also verify you're using https:// not http:// — Webmin requires TLS by default.
Login Fails for a Valid User
PAM authentication can fail if the system's PAM stack is unusual. Check /var/webmin/miniserv.error for the reason. Also confirm the user is not locked: passwd -S username should not show L in the second field.
Module Missing After Installing a Package
Webmin caches module availability. Go to Webmin → Refresh Modules or restart the service:
sudo systemctl restart webmin
Self-Signed Certificate Warning Persists After Let's Encrypt
Confirm the new certificate paths are saved in /etc/webmin/miniserv.conf under the certfile= and keyfile= keys. After editing that file manually, restart Webmin for the change to take effect.
Frequently asked questions
- Is Webmin safe to expose directly to the internet?
- Only if you have replaced the self-signed certificate, enabled 2FA, and restricted access by IP. Even then, an SSH tunnel is safer for single-admin setups because it removes the attack surface entirely.
- Does Webmin work with SELinux enabled?
- Yes on modern releases, though some modules may behave unexpectedly if SELinux policy blocks Webmin's Perl processes. Check audit.log for denials and use audit2allow to generate a targeted policy if needed.
- Can I manage multiple servers from one Webmin install?
- Yes. Webmin supports Webmin Servers Index, which lets you add remote Webmin instances and switch between them. Cloudmin is the separate product for large-scale multi-server management.
- Will Webmin overwrite my manually edited config files?
- Webmin reads and writes the same config files the CLI tools use, so changes made in either place are reflected in both. It does not replace or shadow config files, but always back up before making bulk changes through the UI.
- How do I update Webmin after installation?
- Because you installed from the official repository, a normal system update handles it: run sudo apt upgrade on Debian/Ubuntu or sudo dnf upgrade on RHEL-family systems. No manual download is required.
Related guides
Configure Prometheus Alertmanager
Configure Prometheus Alertmanager with routing trees, receivers, inhibition rules, grouping, Go templates, and PagerDuty/Slack on-call integrations.
Build an Intranet Server on Linux
Set up a complete small-office intranet on one Linux box: Nginx web server, dnsmasq local DNS, Samba file sharing, and a Wiki.js team wiki.
Build an nftables Firewall Script
Build a complete nftables firewall from scratch: tables, chains, sets, default-deny input policy, service allowlisting, and persistent systemd configuration.
Caddy as a Reverse Proxy
Set up Caddy as a reverse proxy with automatic HTTPS, load balancing, WebSocket passthrough, reusable snippets, and header control — no certbot required.