Basic Security Setup

Hello everyone!

It has been a while. Thanks again to everyone who helped me set up my web server. I am now trying to make it somewhat secure.

a) I turned off SSH, FTTP and mail servers, since I don’t use them.


But I disable them from the dashboard and they are set to autostart at reboot.

b) I use long passwords and I update regularly.
c) I use SSL everywhere by default.
d) Only the necessary ports are open.

Are there any tips to make Virtualmin and Webmin secure? Also, I am running CentOS and I will try to strip it off as much as possible.

e) I am trying to hide the url to access phpmyadmin. I installed phpmyadmin via script for each virtual server independently. But I locate cannot find phpmyadmin.conf in my machine (with updated database) … I have tried having a look around myuser/public_html/phpmyadmin … I just cannot find a file with the Alias setting in it … it is not in config.inc.php … :thinking: :man_shrugging:

Thanks in advance and tons of love :heart_decoration:

Two things, @Centaro :

  1. Enable fail2ban, configure it to monitor the ports and services that you are using so that brute force attacks on your server can be contained.

  2. Enable 2FA for Webmin / Virtualmin for the important accounts, if not all all accounts.

Hi @Calport :heart:

Fail2ban is enabled by default, but I don’t understand any of the menus in it.

I guess it is doing its job, though?

And I don’t know where 2FA is, but I am a big fan! Now searching for it …

Hi @Centaro well on my setup is defo firewall, then f2b and the last one is push notifications to all my mobile devices (I use gotify for that) when anything is happening a specially for ssh logins :slight_smile: then at last I use bash to notify me for IP changes - you know I run on residential isp claiming static ip but to be just sure…I run my own bash to check that out every minute. For f2b (fail2ban) you can create your own regex-ses which make stuff much easier. also for login for your own private stuff, I use ssl - no more passwords or user names etc… ssl works great for me and you can combine that with valid lets encrypt ssl means valid padlock and your auth on top of the thingy. ssh of course disable password and user name only accept keys…

with that you should be secure but do not forget php scripts etc… that is different way to get in… I will be moving shortly from my wp to static site generator blog which is pure bash and some html files… working same as wp but no attacks at all can be done :wink: stay safe!

I think anyone using wordpress should also ensure their wordpress installation/s are running Wordfence plugin. You need that (for me its a must have) additional layer of security with CMS websites.

1 Like

Check that Fail2Ban is actually banning the IPs as opposed to telling you it’s banning them but actually not.

Recently I had

fail2ban-client status Postfix-SASL

telling me it had banned some IPs but an

iptables -nxv -L

showed no f2b-Postfix-SASL chains in the results. And the mail log still showed connection attempts from those IPs.

HIH

Dibs

Hi there,

wow that idea with -otify sounds very interesting for me. Do I need to set-up Gotify on a separate server or can I set it up on the same one where Virtualmin is installed?

I followed your advice here and it is really nice to have 2FA on the CMS sites.

I think that is enough … and so I am not trying to change the log-in URL for the sites. Is 2FA enough or would you go the extra mile?

I just disabled them from the terminal. It is a more permanent solution.

You really are on another level … I don’t even know what I would use regex’s on Fail2Ban for, let alone how. I am having a look at Fail2Ban … and I have jails running for services I don’t use like Postfix or Dovecot. My guess is that disabling them would be ok. I disable jails for features that I am sure I won’t use, but I keep jails enabled for protocols that I might use in the future like SSH and FTP, so I don’t forget turning them on.

Also, I have tweaked the Jail Defaults so it is a little bit more strict.

Is there a jail for Wordpress? I see there is one for Drupal, but I don’t use it.
I see there is one called mysqld_auth. Will this jail ban people trying to brute force mariadb, also even if it is through phpMyAdmin?


Gotify seems like a really good monitoring tool, but I have turned SSH off. It might be a good idea to set it up anyway. Do you have it run on the same machine as the webserver or on a different machine?


Thanks for your help y’all. More tips are always welcome. :peace_symbol:

you can also use csf firewall
https://configserver.com/cp/csf.html
there is also a webmin module

Thanks!

I am actually looking for actions to take rather than software recommendations. What is important to me is the security protocols that I might be missing. The software choice is secondary here.

@fabi you can setup gotify anywhere… be it wan or lan or anywhere on internet. My setup is on one domain within virtualmin it self. But you can use it installed for example on domain1 on separate server or hosting company and then use it in your scripts… basically you run watherver and include curl call to gotify api with message or even command in message body (in case usage with bash) which you just point to url link of your gotify running, be it your server running virtualmin or whatever os hosted somewhere elsewhere. once msg rich api you will get nice push like notification and its instant at least for me it was.

@Dibs well for me it is actually banning the correct IPs for real. I kindly tested those things to just actually see it if my setup was correct and out of the curiosity even wrote my personal regex for bots like mj12 etc… I dont know your setup but on my end is rather kindly simple config and running on debian. I’ve never tested on any other oses. sorry.

@Centaro sure thing it is… you can write regex your self but there is somewhere auth for web page logins, set this for about 3x fail 2 ban for month… this would also be working with apache basic password protection which you can use even for wp login page only… like apache password first then wp username and password to log you in. In my case I do not use ftp… left ftp sometimes in 2007 behind. On my server I do not use jails as well. As my server acts as primary hosting for mainly only my sites and resources, however ssh normal user would never be able to open anything which does not belong to him. On top of that generating ssh key for anyone takes few seconds so no passwords on my ssh as I set it up to ssh keys only, neans without keys ssh will not let you in.

FTP is very old, its not secure at all. Dont get me wrong, its great file transfer protocol to be used in lan networks or home networks or for public domains to host and share whatever files which means without user name or passowrds otherwise its dangerous if not used with ssl certs or not via vpn to network where server sits and then actually connect to ftp with username and passwords. You know if you ssh into server via file zilla you wouldnt even know you using ssh and not ftp. But if you like ftp its okay, this is only my own opinion regards ftp.

note: I also should mention ssl authentication which is awesome. You can even have like simple website accessible only if you have correct ssl cert installed in your browser which means no more passwords - uhm something like sso but without passwords and usernames and whats great about it, you can use this together along side with lets encrypt. This is much more secure then passwords and also much more private as you will become certCA your self so you can revoke clients certs when need it or issue new one :slight_smile:

No worries @unborn. I thought to mention it - it might be an o\s issue or could be a Fail2Ban issues (for that version). I did see reports on GitHub about it.

I suppose - always best to test & verify. :slight_smile:

Cheers

Dibs

1 Like

Also I forgot to mention that you can use gotigy for anything you would like to monitor, for example not only who is log into the terminal but also if backup will fail, or if it succeed or your hdd gets full to some sort of level like 95% or perhaps when f2b ban IP (this one would be rather spamming your mobile with messages as not sure how many bans you have per day) or when update is done or when cron gets executed or your public IP gets changed etc. The fact is you can use it with your scripts or system stuff be it on server or even laptop makes it very beautiful.

edit: regards wp and pma it comes to my mind very simple and very effective solution to prevent bruteforce - you can secure this via htaccess as well… force wp-admin and pma load only via ssl and allow only desired IPs to load the page, rest just simply would not be able to connect to it or load login page at all.

edit2 you can use pma installation for all domains on one single domain, you dont have to install it via scripts for each domain… just one install on one central domain where you just be able to log in via root or via domain user. Keep in mind installing pma for each domain separately does nothing except make it easier for uglies to rich it for brute force etc… one pma (PhpMyAdmin) install is gui for every domain on your server.

1 Like

Thanks everyone for the tips pointing me to WordFence, Gotify and the PMA set-up.

@unborn, I got Gotify to run over http, but you said you have it set up on a Virtualmin server, and I think it would be really neat to have Virtualmin automatically renew the Let’s Encrypt certificate, but I cannot manage. Maybe you know what I’ve done wrong.

Thus far,

1 - I have created a virtual server and a sub-server on ViMin and requested the SSL certificates for both.

2 - Then I have set up the ports for HTTP and HTTPS to XXXX and XXXY on the sub-server I want to use (because Gotify uses Nginx by default and I think it is easier to just change the ports)

3 - I have edited Gotify’s config file to have HTTP listen on XXXX, ssl enabled true, redirecttohttps true, HTTPS listen on XXXY, letsencrypt enabled true, accepttos (tried both true and false … I don’t know what it is), and on hosts subserver.mydomain.tld … also got subserver.mydomain.tld on allowedorigins.

The error I get is a TLS handshake error where my publicip is followed by a totally random port … and it says I am missing the certificate. So I don’t know what is wrong … all 3 applications are set up to use the same ports … Gotify, Virtualmin’s subserver and my client. :thinking: