I have a fresh installation with 2 virtual servers active. Proftpd is installed but currently stopped. However I am still able to use Filezilla with the SFTP - SSH protocol and access files on the site. The chroot and file directory restrictions seem to be ignored.
How is tit possible to have FTP service when Proftpd is stopped? Is there a 2nd FTP server that is also enabled by the initial Virtualmin installation?
You said it yourselfâŠitâs SSH. Some FTP clients also speak SSH, and it is possible to interact with SSH in an FTP-like manner. If you donât want a user to have ssh, you need to set their shell to something that canât login.
If you want chroot, you need to enable Jails (but jails are not really a security featureâŠfilesystem permissions provide security, Jails are just an aesthetic thing).
It doesnât matter much what port ssh runs on. A determined attacker wonât be put off by using different ports, at which point the only security you have is the strength of your passwords (and the excellent security record of OpenSSH). Port knocking is probably an effective deterrent, but too complicated to ask less technical users to use (so is changing service ports, for that matter).
Not by itself, no. But if you also use CSFâs âPort Scan Trackingâ feature on all the commonly-abused default ports (including those for other operating systems, like 3389 for Windows RDP), you at least stop the bots and script kiddies. (It may also be doable in fail2ban. Iâm not familiar with fail2ban other than knowing that it exists.)
Agreed. But a lot of attackers (probably most) are dumb bots and random miscreants.
Another reason why CSF is a good tool. All you have to do is fill in the ports and protocols (in a GUI, mind you) to enable it. Itâs configured, but not enabled, by default. There are reasons why @Ilia and I love CSF.
Maybe these and other SSH-hardening strategies (keys, authorized users, etc.) can be built into Virtualmin so they can be done from the GUI by less-sophisticated users. Theyâre really not all that hard to do from the terminal, but they carry the risk of users locking themselves and other authorized users out due to syntax errors and other dumb admin tricks.
Then again, if Virtualmin can modify those settings, then Virtualmin itself becomes a potential security risk. So maybe not.
EDIT: The other benefit to changing the service port is that it gives the SSH daemon a break. The failed logins reported by SSH are typically zero when itâs running on a non-standard port. Theyâve all been swatted away by the firewall like so many flies.
Personally, I like changing default ports for SSH and other services (when possible), and block all attempts to perform port-scanning, because it helps to keep the server logs much cleaner from âgarbageâ, generated by ridiculous amount of attempts, when bots trying to connect/authenticate. It is a waste for drives I/O.
tsdo âfail2ban-client status sshdâ|grep âTotal bannedâ
|- Total banned: 9168
|- Total banned: 1292
|- Total banned: 126
|- Total banned: 78
|- Total banned: 195
|- Total banned: 61
|- Total banned: 505
|- Total banned: 13810
I donât mean the system administrator of the server. I mean regular usersâŠthe web developers uploading content, the clients uploading images, etc. Sure, if you just run your servers for your own use and donât have any less technical users, go nuts. Make it as hard to use as you like!