Basic Security Setup

Hello everyone!

It has been a while. Thanks again to everyone who helped me set up my web server. I am now trying to make it somewhat secure.

a) I turned off SSH, FTTP and mail servers, since I don’t use them.


But I disable them from the dashboard and they are set to autostart at reboot.

b) I use long passwords and I update regularly.
c) I use SSL everywhere by default.
d) Only the necessary ports are open.

Are there any tips to make Virtualmin and Webmin secure? Also, I am running CentOS and I will try to strip it off as much as possible.

e) I am trying to hide the url to access phpmyadmin. I installed phpmyadmin via script for each virtual server independently. But I locate cannot find phpmyadmin.conf in my machine (with updated database) … I have tried having a look around myuser/public_html/phpmyadmin … I just cannot find a file with the Alias setting in it … it is not in config.inc.php … :thinking: :man_shrugging:

Thanks in advance and tons of love :heart_decoration:

Two things, @Centaro :

  1. Enable fail2ban, configure it to monitor the ports and services that you are using so that brute force attacks on your server can be contained.

  2. Enable 2FA for Webmin / Virtualmin for the important accounts, if not all all accounts.

Hi @Calport :heart:

Fail2ban is enabled by default, but I don’t understand any of the menus in it.

I guess it is doing its job, though?

And I don’t know where 2FA is, but I am a big fan! Now searching for it …

Hi @Centaro well on my setup is defo firewall, then f2b and the last one is push notifications to all my mobile devices (I use gotify for that) when anything is happening a specially for ssh logins :slight_smile: then at last I use bash to notify me for IP changes - you know I run on residential isp claiming static ip but to be just sure…I run my own bash to check that out every minute. For f2b (fail2ban) you can create your own regex-ses which make stuff much easier. also for login for your own private stuff, I use ssl - no more passwords or user names etc… ssl works great for me and you can combine that with valid lets encrypt ssl means valid padlock and your auth on top of the thingy. ssh of course disable password and user name only accept keys…

with that you should be secure but do not forget php scripts etc… that is different way to get in… I will be moving shortly from my wp to static site generator blog which is pure bash and some html files… working same as wp but no attacks at all can be done :wink: stay safe!

I think anyone using wordpress should also ensure their wordpress installation/s are running Wordfence plugin. You need that (for me its a must have) additional layer of security with CMS websites.

2 Likes

Check that Fail2Ban is actually banning the IPs as opposed to telling you it’s banning them but actually not.

Recently I had

fail2ban-client status Postfix-SASL

telling me it had banned some IPs but an

iptables -nxv -L

showed no f2b-Postfix-SASL chains in the results. And the mail log still showed connection attempts from those IPs.

HIH

Dibs

Hi there,

wow that idea with -otify sounds very interesting for me. Do I need to set-up Gotify on a separate server or can I set it up on the same one where Virtualmin is installed?

I followed your advice here and it is really nice to have 2FA on the CMS sites.

I think that is enough … and so I am not trying to change the log-in URL for the sites. Is 2FA enough or would you go the extra mile?

I just disabled them from the terminal. It is a more permanent solution.

You really are on another level … I don’t even know what I would use regex’s on Fail2Ban for, let alone how. I am having a look at Fail2Ban … and I have jails running for services I don’t use like Postfix or Dovecot. My guess is that disabling them would be ok. I disable jails for features that I am sure I won’t use, but I keep jails enabled for protocols that I might use in the future like SSH and FTP, so I don’t forget turning them on.

Also, I have tweaked the Jail Defaults so it is a little bit more strict.

Is there a jail for Wordpress? I see there is one for Drupal, but I don’t use it.
I see there is one called mysqld_auth. Will this jail ban people trying to brute force mariadb, also even if it is through phpMyAdmin?


Gotify seems like a really good monitoring tool, but I have turned SSH off. It might be a good idea to set it up anyway. Do you have it run on the same machine as the webserver or on a different machine?


Thanks for your help y’all. More tips are always welcome. :peace_symbol:

you can also use csf firewall
https://configserver.com/cp/csf.html
there is also a webmin module

1 Like

Thanks!

I am actually looking for actions to take rather than software recommendations. What is important to me is the security protocols that I might be missing. The software choice is secondary here.

@fabi you can setup gotify anywhere… be it wan or lan or anywhere on internet. My setup is on one domain within virtualmin it self. But you can use it installed for example on domain1 on separate server or hosting company and then use it in your scripts… basically you run watherver and include curl call to gotify api with message or even command in message body (in case usage with bash) which you just point to url link of your gotify running, be it your server running virtualmin or whatever os hosted somewhere elsewhere. once msg rich api you will get nice push like notification and its instant at least for me it was.

@Dibs well for me it is actually banning the correct IPs for real. I kindly tested those things to just actually see it if my setup was correct and out of the curiosity even wrote my personal regex for bots like mj12 etc… I dont know your setup but on my end is rather kindly simple config and running on debian. I’ve never tested on any other oses. sorry.

@Centaro sure thing it is… you can write regex your self but there is somewhere auth for web page logins, set this for about 3x fail 2 ban for month… this would also be working with apache basic password protection which you can use even for wp login page only… like apache password first then wp username and password to log you in. In my case I do not use ftp… left ftp sometimes in 2007 behind. On my server I do not use jails as well. As my server acts as primary hosting for mainly only my sites and resources, however ssh normal user would never be able to open anything which does not belong to him. On top of that generating ssh key for anyone takes few seconds so no passwords on my ssh as I set it up to ssh keys only, neans without keys ssh will not let you in.

FTP is very old, its not secure at all. Dont get me wrong, its great file transfer protocol to be used in lan networks or home networks or for public domains to host and share whatever files which means without user name or passowrds otherwise its dangerous if not used with ssl certs or not via vpn to network where server sits and then actually connect to ftp with username and passwords. You know if you ssh into server via file zilla you wouldnt even know you using ssh and not ftp. But if you like ftp its okay, this is only my own opinion regards ftp.

note: I also should mention ssl authentication which is awesome. You can even have like simple website accessible only if you have correct ssl cert installed in your browser which means no more passwords - uhm something like sso but without passwords and usernames and whats great about it, you can use this together along side with lets encrypt. This is much more secure then passwords and also much more private as you will become certCA your self so you can revoke clients certs when need it or issue new one :slight_smile:

No worries @unborn. I thought to mention it - it might be an o\s issue or could be a Fail2Ban issues (for that version). I did see reports on GitHub about it.

I suppose - always best to test & verify. :slight_smile:

Cheers

Dibs

1 Like

Also I forgot to mention that you can use gotigy for anything you would like to monitor, for example not only who is log into the terminal but also if backup will fail, or if it succeed or your hdd gets full to some sort of level like 95% or perhaps when f2b ban IP (this one would be rather spamming your mobile with messages as not sure how many bans you have per day) or when update is done or when cron gets executed or your public IP gets changed etc. The fact is you can use it with your scripts or system stuff be it on server or even laptop makes it very beautiful.

edit: regards wp and pma it comes to my mind very simple and very effective solution to prevent bruteforce - you can secure this via htaccess as well… force wp-admin and pma load only via ssl and allow only desired IPs to load the page, rest just simply would not be able to connect to it or load login page at all.

edit2 you can use pma installation for all domains on one single domain, you dont have to install it via scripts for each domain… just one install on one central domain where you just be able to log in via root or via domain user. Keep in mind installing pma for each domain separately does nothing except make it easier for uglies to rich it for brute force etc… one pma (PhpMyAdmin) install is gui for every domain on your server.

1 Like

Thanks everyone for the tips pointing me to WordFence, Gotify and the PMA set-up.

@unborn, I got Gotify to run over http, but you said you have it set up on a Virtualmin server, and I think it would be really neat to have Virtualmin automatically renew the Let’s Encrypt certificate, but I cannot manage. Maybe you know what I’ve done wrong.

Thus far,

1 - I have created a virtual server and a sub-server on ViMin and requested the SSL certificates for both.

2 - Then I have set up the ports for HTTP and HTTPS to XXXX and XXXY on the sub-server I want to use (because Gotify uses Nginx by default and I think it is easier to just change the ports)

3 - I have edited Gotify’s config file to have HTTP listen on XXXX, ssl enabled true, redirecttohttps true, HTTPS listen on XXXY, letsencrypt enabled true, accepttos (tried both true and false … I don’t know what it is), and on hosts subserver.mydomain.tld … also got subserver.mydomain.tld on allowedorigins.

The error I get is a TLS handshake error where my publicip is followed by a totally random port … and it says I am missing the certificate. So I don’t know what is wrong … all 3 applications are set up to use the same ports … Gotify, Virtualmin’s subserver and my client. :thinking:

Hi, sorry for late reply but I had really busy schedule this week (working nights). I can write some quick dosc for you how I use it… I mean my setup but I have great idea, how about video tutorial? I can explain it and show within few minutes instead of lengthy lines of text… If you want I make video and post it somewhere like youtube or perhaps we can talk via whatsapp whatever…

regards my setup all Ive done in simple words, I run binary file with config file where I set everything up and then proxying whole port out via apache. Simply like that. https like using it with lets encrypt is possible however you would have to edit one of apache conf files… just add one like and you are done… lets encrypt renewal works independent from gotify and with htaccess you can force https version of gotify load only. I do not force it as I do not know how useful could be notification info that someone has logged in to my server or moms ip did changed or update script finished etc… but I can help you with that.

I have no idea on proxying … this is one more thing I will have to learn. Is your domain set-up on ViMin though?

A video on YouTube will help not just me, but probably some other people, who might be looking into Gotify in general. It would be really nice of you, but of course, you don’t have to unless you feel inspired and you have time and energy for it.

I am trying to find information on proxying Gotify traffic through apache … but I can only find this: https://gotify.net/docs/apache

Is that the answer? :thinking:

hi @Centaro - I am very sorry for late reply - but basically as key worker I am working 6 days in row night shifts in a shop and 4 days as ICT dev somewhere else. Means it take payback regards how tired human can get :slight_smile: anyway… I will do video in 23th of this month so it would become clear to you (and anyone else) what I was talking about. Basically lets set this up as you want. yes correct link your posted however the link and documentation was leading that you already know some stuff which could be beyond the knowledge of yours ( I am not offensive there or anything - its just I will explain properly step by step… ) but yes that’s the answer basically put it out there…

edit yes I am running everything on virtualmin GPL! :slight_smile:

Hi @unborn!

I have worked a bit on my set-up and somethings are working now. The websites are running on ports 80 and 443 through virtualmin, Gotify http is running on an arbitrary non-standard port, and the only thing I am missing is the SSL certificate to also work on another arbitrary port, so I can run Gotify https over it.

Tried one configuration accepting Let’s Encrypt TOS and one without accepting them.

image

Here is a sample of my config file.

I also tried copying the domain’s ssl.* files to data/certs, and I also tried changing the path from data/certs to the place where the ssl.* files for the domain are.

I have no idea what to try next. Looking forward for your video @unborn