Was hoping for some advice

I am using virtualmin pro and am very satisfied. Thank you for offering such a product!

Recently I discovered some webpages that had malicious javascript inserted into the html. I'm at a loss as to how it got there as nothing abnormal appears in the logs. I've changed all the passwords so we are going to assume that somehow they got lucky and guessed a password.

My question is: under the iptable section of webmin the "activate at boot" selection is not turned on. Should it be turned on normally?

Also, is there any reason why I should not install fail2ban?

If you have any thoughts on how someone could change static webpages, please let me know.

Thanks a million!

Status: 
Active

Comments

Howdy -- it's unfortunately not uncommon to run into the problem you're describing.

The usual cause is spammers who find some sort of PHP code that they take advantage of... perhaps an old WordPress or Joomla installation, for example.

You may want to verify that there aren't any apps installed within that account that are running older versions,

You're welcome to run iptables if you like, though that wouldn't typically resolve issues like what you're describing, since the attackers probably accessed a port that should have been open.

Some Virtualmin users are using Fail2ban, and we certainly don't discourage it's use. Unfortunately, Virtualmin isn't able to configure or monitor it, so that would need to be installed and setup manually. But we haven't heard any problems with it's use, and have heard about a lot of folks having great success by using it.

I'm having good luck with the fail2ban at least in it nailing folks trying to guess passwords. I also noticed that it will work with shorewall which is easier than using iptables by itself.

Is it ok to use virtualmin pro with shorewall?

Yes, it's no problem to use Virtualmin along with Shorewall.

Thanks very much for your advice and help!