I'm using Virtualmin 4.04 on CentOS 6.5 on my servers. My main servers has several scheduled backups setup. When I create new backups, the password for the FTP servers is replaced with ****, all looks great.
But today I did find all my login info to my backups servers in clear text in /var/webmin/webmin.log. When I setup Virtualmin I always use the "hashed password" setting, but still, in the webmin.log all login info (ftp server:password@username) is clear as daylight.
This can't be good? If anybody get access to my server and my logs, they can get all the important login info to my backup servers.
I have now created a script and a cron job deleting /var/webmin/webmin.log every minute.
But are I'm missing some important settings or something in Virtualmin/webmin allowing the FTP info for my backup servers to be written i clear text in the logfile?
I could not find any other username/passwords there, only the backup info.