After falling victim to a hack via the webmin vulnerability I restricted webmin access to my own ip.
But I have a couple of virtual servers set up for the use of friends, and now they cannot access their control panels.
Am I right that webmin runs as root no matter what domain name is used to access it? So it seems that I can only limit vulnerability to future root exploits by collecting their ip addresses from the friends and adding them to the access control list, now and whenever their ip addresses change.
Is there something I am missing that would increase security without having to manually add the ip addresses of every virtual server user on a continuous basis?