Default Security Risks


I’ve been using virtualmin for about 2 months with mostly all default settings. Are there any security risks I should be aware of with the default settings?


The security risk is probably DDOS, Virtualmin is using a firewall called Fail2Ban and if you setup Fail2Ban Jails you will be able to reduce DDOS attacks.

If you are talking about XSS/SQL injection I don’t know, but I recommend you avoid port forwarding for 10000 (Webmin) and 20000 (Usermin).

See my comment here and the messages before and after it.

Perfect. Thanks

Great points

@rlit of course they are there… its kind of normal and expected. But you should be fine if you run all up to date and if using cms be it wp or joomla use well coded themes and (not a lot of) plugins.

I could personally recommend:

  • disable ssh access with username and password, basically leave it on as ssh key authorisation only, without ssh key = no music. This way you can even forget of brute force attacks and keep it on port 22
  • avoid ftp at all - no need for that as you have ssh (for example using filezilla, you wont even know you are using ssh instead of ftp)
  • avoid on all login pages http - use ssl aka https
  • set up automated backups and keep them in roll for at least one week - basically back up whole server in middle of night or something every day. Including databases… Rotate this backups every last day so when something got wrong you can keep copy of corrupted version for investigative purposes but also have way to restore things immediately within last 7 days aka sort of time back mashine
  • if you paranoid set up ssh to inform you every time someone logs into ssh by email or via instant msgs - telegram or gotify
  • set up fail2ban for cms logins, and if you host only for your self, add into your htaccess your IP to be only able to log in
  • use well coded themes with your cms
  • use as much less and well coded plugins with your cms
  • if you paranoid - close port 10000 and connect to port 10000 via vpn (if you are not on same lan), but this is not need it, just use strong password for root
  • avoid sudo… keep root account out of any other users. when installing os fill root password separate from normal account. when on server you can always type su and hit enter and you become root after entering correct password. You wont need sudo … any more.

Buy me coffee

1 Like


Very well done.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.