Settings for best security

23 posts / 0 new
Last post
#1 Wed, 12/12/2012 - 15:53
virtualpaul

Settings for best security

Hi,

I am trying to install virtualmin on a LAMP (Debian Linux, Apache, MySQL, PHP) and use a mail server (postfix, dovecot) and several web sites.

I wish to find out what settings I need for best security.

Is there a list of these settings somewhere?

If not, is there a list of what not to do that could impair the security?

Wed, 12/12/2012 - 22:54
andreychek

Howdy,

Well, Linux distributions, nor Virtualmin, ships settings that are considered to be insecure by default.

Outside of that, the questions "how to improve security" and "what might impair security" are topics for very large books :-)

If you had anything in particular you were hoping to try, feel free to ask and we can discuss whether it's a security problem :-)

-Eric

Thu, 12/13/2012 - 05:04
Locutus

I couldn't have expressed it better than Eric. To "books", you might add "myriads of websites" and "highly paid firms offering security audits". ;)

For starters, to get an inherently secure system, it's recommended to use a Grade-A supported OS, installing no packages besides SSH, and using the Virtualmin installer script to get your web hosting software in place. Virtualmin configures the services, as securely as you can get without being an employee at one of the aforementioned firms. :)

Most security issues come from buggy or incorrectly configured web software, and not from the services itself.

Thu, 12/13/2012 - 08:30
Thu, 12/13/2012 - 19:46 (Reply to #4)
virtualpaul

Right now I rent a dedicated server so do you think that the link you gave me could help me anyway? Thanks.

Thu, 12/13/2012 - 10:17
virtualpaul

Thanks!

So should I assume that virtualmin on its own always installs/configures applications/services for optimum security in mind?

Or are there so many options that choosing some combinations might make the web server unsecured?

Thu, 12/13/2012 - 11:11
helpmin

They try of course. But a good example is VM 3.97 which fixed major security issues a few days ago that have existed in Virtualmin for a long time ;-)

For optimum security it is always a good idea to go through some security/hardening check lists :-)

Unless you have only one site on your system, I guess. If you need more than one site, then probably Virtualization offers the best protection (I use OpenVZ). However there is some overhead.

Thu, 12/13/2012 - 22:51
tpnsolutions
tpnsolutions's picture

Hi,

A few items which rank high on my list of security measures include, "firewall hardening", "disabling FTP (and other services not used) in favour of SFTP", "disabling password authentication for root", and installing a good "intrusion detection system".

We have been using OSSEC for our primary OS-level intrusion detection system for a few years now, and it has saved us sleepless nights because of it's highly customizable ruleset, and the proactive measures it takes against hackers and other malicious activity. OSSEC also if configured will send out an email to you including all items which may be a security threat, or that you should know about including login attempts, file changes, etc.

When you consider what OSSEC and similar software does, it makes administrating lots of machines less of a headache, and increases uptime by pointing out threats, and taking proactive measures.

Hope this information helps!

-Peter

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Fri, 12/14/2012 - 05:04
Locutus

Oh right, security software. I personally use the following on my hosting systems:

CSF/LFD

Watches, among lots of other things, logs for login failures and blocks the offending IP via iptables. Also watches for modified system files, can detect port floods, use blacklists to block known hacker nets, limit connection count per source IP, and other stuff.

LOGCHECK

Scan configurable log files and reports all lines it doesn't know (configurable via regular expressions, comes with a pre-made set of rules) via email

LMD

Linux Malware Detect, a malware scanner specifically for bad web software. Uses the ClamAV engine for scanning.

Fri, 12/14/2012 - 05:51 (Reply to #9)
tpnsolutions
tpnsolutions's picture

Locutus,

Nice!

If you haven't already, you also look over at: http://www.ossec.net

-Peter

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Fri, 12/14/2012 - 06:51
Locutus

Yepperz, I took a look at the OSSEC website, and it sounds quite nice. :)

Mmh, might it be possible to take a look at a live installation of OSSEC? I like to test new stuff, but before I replace my whole LFD/Logwatch setup with something new, I'd really like to see if it does anything better than what I'm using now. :) Unfortunately, OSSEC does not seem to have a demo installation, and not even screenshots.

Fri, 12/14/2012 - 12:02 (Reply to #11)
tpnsolutions
tpnsolutions's picture

Locutus,

Honestly, I think it's a bit hard to test security software of this sort, as you'd have to be doing bad things to see it in action.

There is a web interface you can optionally install, but this is just for reports and not intended though possible to view from a web facing address.

Honestly, I've not read up on the solutions you're using, so I couldn't really comment on whether it's better or not. It's likely that your solution if it works, is fine but this is just the solution I personally use.

-Peter

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Mon, 10/27/2014 - 10:05 (Reply to #12)
Karl

Hello Locutus,

did you check OSSEC? If yes, are you using it?

Thanks, Karl

Fri, 12/14/2012 - 16:08
virtualpaul

Thanks for all the suggestions.

It would seem that security suggestions is more on the server side than the virtualmin side.

I was hoping to get some pointers on the settings for virtualmin itself since there are quite a lot of options in the software.

One other thing was a safe way to access virtualmin remotely:
Is it safer to open a port with a direct access to virtualmin (I did not like the idea of a root access from remote) OR to enable remote graphic access to the server and use virtualmin only 'locally'. This could allow me to disable remote root access and switch it on using 'su'. The idea is to prevent brute force attack on the root user.

Fri, 12/14/2012 - 17:10
Locutus

Remote graphics access on an Internet-facing server: No go. :)

My suggestion would be: First, turn off "root login with password" in SSH. Set it to "with RSA key only". That will prevent brute force attacks on the root account, because no brute force attack in this world can work out an RSA key (of sufficient length).

In Virtualmin, you'd still use the root user and their regular password (make it securely long). Brute-force attacks on Webmin are very rare, since it's by far not as widespread as SSH.

If you want extra security, set up a VPN (OpenVPN suggested) and open port 22 and 10000 only for VPN connections.

Tue, 12/18/2012 - 17:05 (Reply to #15)
virtualpaul

Are there some major reasons for not using remote graphic? I've been acustomed to my windows 2000 web server for many years and found it very convenient to access it using remote desktop.

Tue, 12/18/2012 - 17:26 (Reply to #16)
helpmin

Virtualmin makes a GUI obsolete IMHO.

But there are at least two reasons:

  • Gigantic waste of resources
  • Security: you increase the # attack vectors by magnitudes

But if your server is just a hobby and your server is too big anyway, then why not :-)

(and regarding vnc via tunnel, search the web, there are problably thousand tutorials)

Thu, 12/20/2012 - 13:20 (Reply to #17)
virtualpaul

Although you are probably right, I am just wondering why:

•Gigantic waste of resources

Is it not just sending a few bytes of data (cursor, mouse tracking) a few times per second and a larger chunk (when part of the screen changes). To me it sounds not much more than serving a graphic web site to an active user. Also since >15 years ago this was easily accomplished by old PCs (e.g. pentium 100mhz) I am guessing that with a recent PC this would be proportionally easier.

•Security: you increase the # attack vectors by magnitudes

Again I would have thought that enabling only one port for VNC access (that would replace the virtualmin/webmin port) would have similar security issues.

Sat, 12/15/2012 - 23:08
virtualpaul

Is there a vnc (remote graphic access) way of accessing a lamp server in a secured way though a SSH tunnel?

Wed, 10/29/2014 - 13:41
ReArmedHalo

To mitigate the brute force of Virtualmin using the root user, you could make sure you tighten the host blocking options:

Webmin > Webmin Configuration > Authentication

I would leave "Block users with more than" and "Lock users with failed logins" otherwise you might get locked out of root access as I am not aware of any white listing option. Perhaps turn up the time a host is blocked for invalid login attempts? You could also change the port that is used to access Virtualmin but that isn't really security (in my opinion, security through obscurity doesn't do much except slow down a determined attacker).

Just my opinion :)

Sun, 01/08/2017 - 22:57
Tue, 01/10/2017 - 09:15
lawk

This is what I do after a clean virtualmin install on a minimal OS install:

1.Disable root login by SSH, instead I use a regular user to login and then "su" for root. I guess you could also use keys.

2.Enable the iptables firewall in webmin to only allow the hosting ports.

3.Install & configure fail2ban, enable it not only for SSH, but PAM, postfix, proftpd, dovecot, perhaps others, in more recent versions there will be a Webmin jail too so you can use that out of the box.

  1. Create a Virtual Server with a domain and make sure SSL is enabled as a feature.

  2. Get the Let's Crypt Certificates in "manage SSl" through virtualmin server management. This has the benefit of enabling SSL in those applications..

BUT I always change the protocols and ciphers to something along the lines of: https://cipherli.st/

So that only TLS 1.2 is used.

I think Virtualmin actually enables postfix for ssl v3. Which is insecure.

You can then add HSTS to Apache. (careful though that auto renewal works for the certs and that you are not using self-signed).

You then get the A+ rating on Qualys.

Then you can always run stuff like Nessus & Netsparker to scan for anything you might have missed of known vulnerabilities.

Netsparker can scan your webapps for problems in php and so on.

Sun, 01/15/2017 - 13:37 (Reply to #22)
Francewhoa
Francewhoa's picture

Thanks for sharing lawk :)

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Topic locked