Webmin Two-Factor Authentication Setup: Google Authenticator & TOTP Guide

Priya

Content Writer & Researcher

Last Updated: 4 June 2026

Webmin Two-Factor Authentication Setup: Google Authenticator & TOTP Guide

🖥️

Is Your Webmin Exposed to the Internet Without Two-Factor Authentication?

A single stolen password gives attackers root access to your entire server through Webmin. CloudHouse sets up 2FA, IP whitelisting, and Fail2Ban on every server we manage — so your control panel is never a single point of failure.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Webmin runs on port 10000 and grants whoever logs in root-level access to your entire server — every file, every service, every user account. A single compromised password is all an attacker needs. Two-factor authentication (2FA) adds a second layer that passwords alone can't provide: even if an attacker has your Webmin password, they cannot log in without the time-based one-time code from your phone.

This guide covers the complete Webmin 2FA setup: installing the TOTP module, pairing it with Google Authenticator (or any compatible app), enforcing it for all users, and setting up recovery options so a lost phone doesn't lock you out permanently.

Why 2FA on Webmin Is Non-Negotiable

Webmin listens on a well-known port and most servers have it exposed to the public internet. Automated bots continuously scan for port 10000 and attempt credential stuffing attacks using leaked password lists. Without 2FA:

A reused password from any previous breach gives an attacker full root access
SSH key auth protects SSH but not Webmin — they use separate authentication
Webmin's default session timeout is 10 minutes, giving attackers a meaningful window after a successful login

With TOTP 2FA enabled, a correct password without the 6-digit code produces a failed login — the attack stops at the second factor.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Verify the Webmin TOTP Module Is Installed

Webmin includes a built-in two-factor authentication module. Verify it is present before proceeding.

1Check for the module via the Webmin UI

Log in to Webmin at https://yourserver:10000. Go to Webmin → Webmin Configuration → Two-Factor Authentication. If this menu item exists, the module is already installed.

2Check via the filesystem

ls /usr/share/webmin/two-factor/ 2>/dev/null || ls /usr/libexec/webmin/two-factor/ 2>/dev/null

If the directory doesn't exist, install or update Webmin to a recent version:

# Debian/Ubuntu
apt-get update && apt-get install --only-upgrade webmin

# RHEL/CentOS/AlmaLinux
yum update webmin

The TOTP module was introduced in Webmin 1.900 — any version released after 2019 includes it.

1Open the Two-Factor Authentication configuration

In Webmin, go to Webmin → Webmin Configuration → Two-Factor Authentication.

2Select "Google Authenticator" as the two-factor provider

From the dropdown, select Google Authenticator (this enables TOTP for any compatible app, not just Google's). Click Save.

3Enroll your admin account

After saving, go to Webmin → Change Language and Theme or navigate to your user's profile under Webmin → Webmin Users → [your username] → Two-Factor Authentication. Click Enroll for Two-Factor Authentication.

A QR code appears. Open your authenticator app and scan it. The app will begin generating 6-digit codes that change every 30 seconds.

4Verify enrollment with a test code

Enter the current 6-digit code from your app into the verification field in Webmin and click Confirm. If the code is accepted, enrollment is complete.

1Generate a TOTP secret for a user

/usr/share/webmin/two-factor/two-factor.pl --user root --setup totp

This outputs a secret key and a QR code URL. Paste the QR URL into a QR code generator or manually add the secret to your authenticator app using "Enter setup key".

2Verify the TOTP config was written

grep "twofactor" /etc/webmin/miniserv.conf
cat /etc/webmin/webmin.acl | grep root

The twofactor entry confirms the feature is enabled at the server level.

1Enable mandatory 2FA in Webmin Configuration

Go to Webmin → Webmin Configuration → Two-Factor Authentication. Check the box: Require all users to use two-factor authentication. Click Save.

After this change, any user who hasn't enrolled for 2FA is redirected to the enrollment page on next login — they cannot access the control panel until they complete enrollment.

2Set 2FA enforcement via miniserv.conf

grep "twofactor_required" /etc/webmin/miniserv.conf
# If not present, add it:
echo "twofactor_required=1" >> /etc/webmin/miniserv.conf
service webmin restart

3Verify all existing users have 2FA enrolled

for user_dir in /etc/webmin/users/*/; do
  user=$(basename "$user_dir")
  if grep -q "twofactor_secret" "$user_dir/config" 2>/dev/null; then
    echo "$user: 2FA enrolled"
  else
    echo "$user: NO 2FA — at risk"
  fi
done

Any user listed as "NO 2FA" should be enrolled immediately or have their account disabled until they complete enrollment.

1Save your TOTP secret key as a backup

When you scan the QR code during enrollment, also note the text-format secret key shown below the QR code (e.g., JBSWY3DPEHPK3PXP). Store it in an encrypted password manager. If your phone is lost, you can re-add the account to a new authenticator app using this key.

2Disable 2FA from the command line (emergency recovery)

If you're locked out of Webmin due to a lost 2FA device and no backup, disable 2FA directly on the server via SSH:

# Stop Webmin first
service webmin stop

# Remove the 2FA secret for the locked-out user
sed -i '/twofactor_secret/d' /etc/webmin/users/root/config
sed -i 's/twofactor_provider=.*//' /etc/webmin/miniserv.conf

# Restart Webmin
service webmin start

3Add your static IP to the Fail2Ban whitelist

If you're running Fail2Ban alongside Webmin 2FA (which you should — they complement each other), whitelist your management IP to prevent lockout from a mistyped code:

echo "ignoreip = 127.0.0.1/8 YOUR.MANAGEMENT.IP" >> /etc/fail2ban/jail.local
systemctl reload fail2ban

1Configure IP restrictions in Webmin

Go to Webmin → Webmin Configuration → IP Access Control. Select Only allow from listed addresses and add your management IP addresses or CIDR ranges. Click Save.

2Or restrict via firewall

# Allow Webmin only from your IP:
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=YOUR.IP/32 port port=10000 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=10000 protocol=tcp drop'
firewall-cmd --reload

Replace YOUR.IP with your actual management IP. If your IP is dynamic, use a VPN with a static exit IP for management access instead.

With TOTP 2FA enabled and enforced, your Webmin installation is protected against credential stuffing, password reuse attacks, and brute force attempts — the three most common vectors used to compromise servers via web-based control panels. Combine 2FA with an IP whitelist and Fail2Ban for a complete defence-in-depth posture. If you manage multiple servers and want 2FA enforcement, access control, and security hardening handled as a managed service rather than a one-time manual setup, CloudHouse's server management team handles this as part of the standard onboarding for every new server.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Any RFC 6238-compliant TOTP app works — Webmin labels the option 'Google Authenticator' but it is not limited to Google's app. Authy, Aegis (Android), Microsoft Authenticator, 1Password, and Bitwarden all generate compatible 6-digit TOTP codes. Choose an app that supports encrypted backup so a lost phone doesn't permanently lock you out.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...