To create Webmin on a Linux server, add the official Webmin repository, install the package with apt or dnf, open TCP port 10000 in your firewall, then browse to https://your-server-ip:10000 to log in. Secure it with HTTPS (Let’s Encrypt), change the default port, restrict IPs, and enable 2FA for production use.
In this step-by-step guide, you’ll learn how to install Webmin on a Linux server, access it safely, harden it for production, and manage common services through its web interface. As a hosting engineer, I’ll share best practices we follow at YouStable so you can deploy Webmin with confidence.
What Is Webmin and Why Use It?
Webmin is a lightweight, open-source Linux server control panel. It lets you manage users, packages, services, firewalls, web servers (Apache/Nginx), databases (MySQL/MariaDB), DNS (BIND), mail (Postfix), and more—all through a browser.
For teams that prefer a graphical interface without heavy resource usage, Webmin is an ideal fit.
Prerequisites and System Requirements
- A supported Linux distribution: Ubuntu/Debian, Rocky Linux, AlmaLinux, RHEL, or CentOS Stream.
- A user with sudo privileges (or root).
- Public IP and DNS A record if you want HTTPS via Let’s Encrypt.
- Firewall access to TCP port 10000 (default Webmin port).
- Basic packages: curl, gpg, and OpenSSL.
Install Webmin on Ubuntu/Debian (Recommended Method)
Use the official repository so you receive timely updates and security patches. The steps below avoid deprecated apt-key and pin the repository with a signed keyring.
# 1) Update and install prerequisites
sudo apt update
sudo apt install -y curl gpg
# 2) Import Webmin GPG key (to a dedicated keyring)
curl -fsSL https://download.webmin.com/jcameron-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/webmin.gpg
# 3) Add the official Webmin repository
echo "deb [signed-by=/usr/share/keyrings/webmin.gpg] https://download.webmin.com/download/repository sarge contrib" | sudo tee /etc/apt/sources.list.d/webmin.list
# 4) Install Webmin
sudo apt update
sudo apt install -y webmin
# 5) Start and enable service (usually auto-starts)
sudo systemctl enable --now webmin
sudo systemctl status webmin --no-pagerInstall Webmin on RHEL/CentOS/AlmaLinux/Rocky
On RHEL-based systems, add the yum/dnf repository and import the GPG key. Ensure SSL libraries and Perl are installed (usually handled automatically).
# 1) Import Webmin GPG key
sudo rpm --import https://download.webmin.com/jcameron-key.asc
# 2) Create the repo file
sudo tee /etc/yum.repos.d/webmin.repo > /dev/null << 'EOF'
[Webmin]
name=Webmin Distribution Neutral
baseurl=https://download.webmin.com/download/yum
enabled=1
gpgcheck=1
gpgkey=https://download.webmin.com/jcameron-key.asc
EOF
# 3) Install Webmin
sudo dnf install -y webmin
# 4) Start and enable service
sudo systemctl enable --now webmin
sudo systemctl status webmin --no-pagerOpen the Firewall for Webmin (Port 10000/TCP)
Webmin listens on TCP 10000 over HTTPS by default. Allow this port in your host firewall and any upstream firewalls or security groups.
UFW (Ubuntu/Debian)
sudo ufw allow 10000/tcp
sudo ufw reload
sudo ufw statusfirewalld (RHEL/AlmaLinux/Rocky)
sudo firewall-cmd --permanent --add-port=10000/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-portsAccess the Webmin Panel
Open your browser and visit:
https://YOUR_SERVER_IP:10000/Because Webmin ships with a self-signed certificate, you’ll see a browser warning the first time. Proceed to the login page.
By default, the administrative login is root. On Ubuntu (where root is disabled by default), temporarily set a strong root password:
sudo -i
passwd # set a unique, strong password for rootLog in as root, then immediately create a dedicated Webmin user with limited privileges (recommended) and disable root access inside Webmin’s ACLs (explained below).
Secure Webmin for Production
Use a Real HTTPS Certificate (Let’s Encrypt)
Point a DNS record to your server (e.g., panel.example.com). In Webmin, go to: Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt. Enter your hostname, choose “Webmin” for the service, and request a certificate. Webmin will auto-renew if DNS remains valid.
Change the Default Port
Security through obscurity isn’t a full defense, but changing the default port reduces bot noise. You can do this in the UI (Webmin Configuration > Ports and Addresses) or edit the config file directly:
# Edit miniserv.conf and change the port
sudo sed -i 's/^port=.*/port=10443/' /etc/webmin/miniserv.conf
# Restart Webmin
sudo systemctl restart webmin
# RHEL with SELinux: allow the new port (example: 10443)
# Install policy utils if needed: sudo dnf install -y policycoreutils-python-utils
sudo semanage port -a -t webmin_port_t -p tcp 10443 || sudo semanage port -m -t webmin_port_t -p tcp 10443
# Update firewall rules too
sudo firewall-cmd --permanent --add-port=10443/tcp && sudo firewall-cmd --reload
# or UFW: sudo ufw allow 10443/tcpRestrict Access by IP
Permit your office/VPN ranges only:
# UFW example: allow only from a trusted IP
sudo ufw deny 10000/tcp
sudo ufw allow from 203.0.113.10 to any port 10000 proto tcp
# firewalld example
sudo firewall-cmd --permanent --remove-port=10000/tcp
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.10" port protocol="tcp" port="10000" accept'
sudo firewall-cmd --reloadEnable Two-Factor Authentication (2FA)
In Webmin, go to Webmin > Webmin Users > Two-Factor Authentication. Choose Time-based OTP (TOTP) and scan the QR code in an authenticator app. Require 2FA for all admin accounts.
Create Additional Webmin Users and ACLs
For least-privilege access, create Webmin users for your team and assign only the modules they need.
- Webmin Users > Create a new Webmin user
- Authentication: Use “Unix authentication” for a system user, or set a separate Webmin-only password.
- Available modules: Select specific modules (e.g., Apache, MySQL, BIND) to restrict access.
- ACLs per module: Fine-tune what each user can see and change.
Once your custom admin accounts are ready, disable root access in Webmin Users to reduce risk.
Popular Modules You’ll Use Often
- Apache Webserver or Nginx Webserver: Virtual hosts, logs, and SSL.
- MySQL/MariaDB Database Server: Create databases, users, and tune parameters.
- BIND DNS Server: Zone management and DNSSEC basics.
- Postfix Mail Server: SMTP configuration and TLS.
- FirewallD/UFW: Manage firewall rules in-UI.
- File Manager and Software Packages: Browse files, install updates, and manage packages without SSH.
Keep Webmin Updated and Backed Up
Apply updates regularly. On Debian/Ubuntu:
sudo apt update && sudo apt upgrade -y webminOn RHEL-based systems:
sudo dnf upgrade -y webminBack up Webmin configs via Webmin > Backup Configuration Files. Store backups off-server, and snapshot your VPS before major changes. At YouStable, our managed VPS plans include scheduled snapshots and can ship servers with Webmin/Virtualmin pre-installed and hardened on request.
Troubleshooting Webmin
Webmin Not Accessible
- Service status:
sudo systemctl status webmin - Port open: UFW/firewalld/security groups allow the Webmin port.
- SELinux: If you changed the port, allow it with
semanage portas shown above. - Logs: Check
/var/webmin/miniserv.errorand/var/webmin/miniserv.log.
Reset Forgotten Webmin Password
Debian/Ubuntu path:
sudo /usr/share/webmin/changepass.pl /etc/webmin root NEW_STR0NG_PASSWORD
sudo systemctl restart webminRHEL-based path (if applicable):
sudo /usr/libexec/webmin/changepass.pl /etc/webmin root NEW_STR0NG_PASSWORD
sudo systemctl restart webminUninstall Webmin
# Debian/Ubuntu
sudo apt remove --purge -y webmin
sudo rm -f /etc/apt/sources.list.d/webmin.list /usr/share/keyrings/webmin.gpg
sudo apt update
# RHEL-based
sudo dnf remove -y webmin
sudo rm -f /etc/yum.repos.d/webmin.repoWebmin vs. Virtualmin: When to Add Virtualmin
Webmin is a general-purpose server control panel. If you plan to host multiple websites and mailboxes with per-domain isolation, add Virtualmin (built on Webmin). It automates virtual hosts, DNS, databases, SSL, mail, and quotas—ideal for agencies and hosting resellers. YouStable can provision VPS/Dedicated servers with Webmin + Virtualmin tuned for performance and security.
Best Practices (From Real-World Deployments)
- Don’t expose Webmin on the public internet unless necessary; prefer VPN or IP allowlists.
- Replace the self-signed SSL cert with Let’s Encrypt immediately.
- Change the default port and enforce 2FA for all admins.
- Use dedicated Webmin users with minimal modules; avoid daily root logins.
- Monitor logs and enable automatic updates to Webmin and OS packages.
- Back up Webmin configuration files and take server snapshots before major upgrades.
FAQs
Is Webmin safe to use in production?
Yes, if you harden it. Use HTTPS with Let’s Encrypt, change the default port, restrict IPs, enable 2FA, and keep Webmin/OS packages updated. For critical workloads, place Webmin behind a VPN or bastion host. Managed YouStable servers follow these practices by default.
What port does Webmin use and can I change it?
Webmin listens on TCP 10000 by default over HTTPS. You can change it in Webmin Configuration > Ports and Addresses, or by editing /etc/webmin/miniserv.conf (port=) and restarting Webmin. Update your firewall and SELinux policy (if enabled) to allow the new port.
How do I install Webmin on Ubuntu 22.04/24.04?
Add the official repository with a signed keyring, run apt install webmin, open port 10000 on UFW, then access https://server-ip:10000. The commands in this guide work on current Ubuntu LTS and Debian releases.
Does Webmin support Let’s Encrypt for HTTPS?
Yes, In Webmin > Webmin Configuration > SSL Encryption, choose Let’s Encrypt, specify your hostname, and request a certificate. Webmin will handle renewals as long as DNS is valid and ports 80/443 are reachable for validation.
How do I reset a forgotten Webmin password?
Use the changepass.pl script as shown above for your distro path, then restart Webmin. If you use Unix authentication for Webmin users, update the underlying Linux password with passwd instead.
