Amavisd, PolicyD, Suhosin, Jail, .....

Virtualmin
1

Dear *min - Team,

I’m currently messing around with Virtualmin on my VPS and I’m thinking about buying the Pro-Version (although, the 10 domain-limit in the starter-license seems a bit harsh).

I pay a lot attention on security and I had some trouble integrating amavisd and policyd on my VPS.
Suhosin was working, but I wasn’t able to upgrade to PHP 5.2. from the bleeding repo afterwards (missing-deps).

I didn’t even try to install any jailing programs (like JailKit) after that mess lol.

So basically my question is the following: what’s the correct way (if there’s any) to prevent out-going Spam (filtering/throttling), harden a current version of PHP and provide secure shell-access to my customers w/o interfering with Virtual-/Webmin?

I’m also curious about any possibilities to create and maintain off-site mirroring/redudancy of the Server (including Mail, Web, DB, …).

Thank you very much for your good work! :slight_smile:
Karl

2

Howdy,

I’m currently messing around with Virtualmin on my VPS and I’m thinking about buying the Pro-Version (although, the 10 domain-limit in the starter-license seems a bit harsh).

Well, we do provide the GPL version for free for folks who can’t afford the Pro version.

The competition generally doesn’t offer a lower-end license for admins hosting only a few domains… but we wanted to offer a lower cost license since not everyone needs unlimited domains. So we think it’s a pretty good deal :slight_smile: You can see a comparison of various products here:

http://www.virtualmin.com/compare.html

Also, remember that the renewals are cheaper than the initial up-front cost.

I pay a lot attention on security and I had some trouble integrating amavisd and policyd on my VPS.

Mmm, I’m not sure about Amavis. I suspect it can be coaxed to work, but may take some tweaking :slight_smile:

As far as policyd goes – Virtualmin offers a way to enable another greylisting tool called Postgrey… I’m not sure if that would do what you need or not.

So basically my question is the following: what’s the correct way (if there’s any) to prevent out-going Spam (filtering/throttling)

Out of the box, I’m not aware of one. I mean, Postfix offers some capabilities there (such as the smtp_destination_rate_delay option), but I don’t believe it’s as fine-grained as what you can do through Amavis.

harden a current version of PHP

Some folks tweak settings in the user’s php.ini file to harden PHP a bit… there’s a lot of safe_mode related settings that could increase security. Some also use the “disable_functions” option to prevent users from running certain commands.

Some distro’s offer PHP packages with the Suhosin hardening patch applied (including Ubuntu and Debian, I’m not sure about CentOS).

However, since apps that are installed depend on the PHP (and related) RPMs, you couldn’t just remove that and install a custom compiled PHP version… you’d need to have a PHP RPM of some sort. One way to do that would be to grab a source RPM for your preferred PHP version, apply your desired patches, compile the RPM, then install it.

secure shell-access to my customers

You may want to look into a shell that restricts the capabilities of your customers, such as lshell:

http://lshell.ghantoos.org/

That’s a good start for now, I’ll try to respond to your offsite question in just a bit :slight_smile:

-Eric

3

Howdy,

I did read all your thoughts. Thanks for your input, we’re certainly always interested in hearing what folks think.

A few notes about some comments you made –

sorta restrictiv regarding server config (no 3rd p.-repos

Well, it’s not that you can’t use a third party repo… moreso, it’s that not all third party repo’s are compatible with Virtualmin and with each other.

Not all ClamAV packages are built the same, for example. And although each may work just as well, they’re built differently and not compatible. Enabling a third party repo could cause it to try to bring down incompatible ClamAV packages.

So, the key in using third party repos is to enable the repo, and define which packages you want to bring down from it. Most packages are actually likely to work just fine.

I actually don’t understand, why you’re delivering your own packages instead of using the already existing stuff.

Believe it or not, we go out of our way not to provide our own packages :slight_smile:

We try to stick to distribution supplied packages where ever possible. When that’s not the case, there’s typically a pretty good reason.

That includes PHP – by default, the PHP version used is what’s included with the distro. The only time Virtualmin offers PHP is for folks who explicitly enable a bleeding edge repository on CentOS.

Unfortunately, CentOs ships with PHP 5.1.6, and many web apps don’t run on that version… so due to popular demand, we ended up offering a bleeding edge PHP 5.2.x package for folks needing to use web apps that required it.

I saw a few CPs offering Jail-configuration by default so I was very surprised, that Webmin doesn’t.

One of the problems there is that jailing SSH users only provides an appearance of security, not security itself. So long as the user can still browse the filesystem using a web-based file manager (since web apps aren’t chrooted), chrooting SSH doesn’t prevent the user from poking around.

However, if you were to install a tool such as lshell (or any other restrictive shell), you could configure new users to use it by default by going into System Customization -> Custom Shells.

I’ll look into some of your other ideas – and I still owe you some thoughts on mirroring and failover :slight_smile:

A quick answer there – the way we used to suggest mirroring was to automate a backup and restore to a remote system using the command line tools. I believe that Cloudmin is now handling some failover setup now, though I need to look into that more, I’m not actually familiar with how that feature works at the moment :slight_smile:

-Eric

4

Howdy,

There’s info on setting up a second server with a DNS slave configuration here:

http://www.virtualmin.com/documentation/dns/slave-configuration

And a secondary email server here:

http://www.virtualmin.com/documentation/email/hold-and-forward

The easiest way to sync user data (including accounts, MySQL data, and the like) would be to use the command line tools to generate backups of your main server, then restore them on the other server. You could include home directory data in those backups, or just use rsync to copy the user files.

Could this be realized with one pro-license or would I need to buy one for each server? Because the Domains are going be the same

Sure. The Virtualmin license allows for a hot-backup. If the domains on each server are the same, and the websites on the backup aren’t actively serving content (ie, it’s serving as a backup, not a live server), that’s no problem to run Virtualmin Pro on each server.

What’s the meaning of “Domains” in that context? Virtual Servers (customers) or the zones in my DNS?

A domain is a Virtual Server or Sub-Server added to Virtualmin (but not aliases).

So, no, it’s not DNS zone files specifically. Though, if you want Virtualmin to be able to manage DNS for a given domain, you’d typically need to first add that domain as a Virtual Server or Sub-Server.

Does that answer your question? :slight_smile:

Have a good one!

-Eric

5

Hi,

a brief update:

I got my postfix with amavisd-new, spamassassin (black-/white-DNS-checks), clamav, freshclam (+ additional sigs), razor, pyzor, DCC, postgrey and policyd (outgoing mail quota per user@domain or @domain - should avoid or at least minimize the risk of getting blacklisted) up and running. It was hell of a pain, because the CentOS 5.5 packages are incredible old and upgrading them seems to risky. That’s because neither the virtualmin-bleeding nor the EPEL-repos cover the necessary dependencies and ATrpms is not the kind of repo I want on my productive machine.

The next step will be the implementation of DKIM and SPF. If all works well till then, I’ll finally check how this can be paired with virtualmin. I’m currently not sure if the virtual-domains and user-aliases will work. I’m also unsure how to implement the spam-settings regarding the destination of spam/virus mails in the user-mailboxes and the handling of ham-/spam-addresses. I additionally had to disable the virtualmin-owned clamav, sa and postgrey daemons. Yet I’m not very experienced with these kind of configurations, but I’ve learned a lot so far. :smiley:

If all goes well I’ll write a HowTo.

Thank you for your clarification about the licensing. For me, it’s now way easier to understand your concept by declaring a domain as an customer, because I have some customers with 2 or 3 domains hosted on one account. Needlessly to say, that this made me a bit skeptical :smiley:
When I have finished the configuration of this server, I’ll get the second one and will try to get the backup/failover up and running… looking forward to finally try out the webmin cluster- and heartbeat features!
And btw. I’m was very surprised about the additional features of the pro-version - great job!

kind regards.

6

Howdy,

Thanks for your writeup!

I did want to clarify something though –

Thank you for your clarification about the licensing. For me, it’s now way easier to understand your concept by declaring a domain as an customer, because I have some customers with 2 or 3 domains hosted on one account.

In licensing terms, a domain is a Virtual Server, or a Sub-Server.

If a user adds 10 Sub-Servers to their account, that counts as 10 domains.

The exception there is aliases – if any of those 10 domains are aliases, that doesn’t count against your total domains.

If you have any other questions, just let us know,

-Eric