Is it safe to expose virtualmin to Internet

**Operating system: Debian
**OS version:10

I’ve been using webmin-virtualmin exposed to Internet for about 6 years and have no problem. I know about the 2019 backdoor but i had no problem.
Now, im a bit worried because i read everywhere virtualmin should not be exposed to internet because Perl subsystem is vulnerable.
I think many people talk without actually having the knowledge and because there are other tools more popular.
What do you think about it?

yes.

  • do you know what you doing? did you set it up saely - ?

I think yes I know what im doing about managing webmin system and a Linux server. What I would like to know is if its safe to have 10000 webmin port exposed to Internet because im not a webmin programmer and I dont know about its internal arquitecture.

@borjaevo yes it is, use very strong password and you should be safe, however please keep in mind as soon as you open port 10000 to internet there could be some bots who would try - with strong password no chance… - I did close my port once site got peak 10k per second as my bandwidth limitations and now connect easy peasy to the port via openvpn or ssh (with key auth only) and its safe heaven.

This is completely bizarre. Sorry. Virtualmin was not affected with that Perl issue you’re talking about. Besides, those other Perl issues should be fixed upstream by now.

It is safe to have it exposed to the internet.

… because i read everywhere

Where exactly did you read this?

1 Like

Probably the same place that fellow read there were 183 steps to installing Virtualmin rather than just two.

You might use 2-factor login for extra safety.
I use Authy, which is free and works well with VirtualMin.

One of the first things to do would be to reconfigure the standard ports to obscure ones that you can remember. SSH, Webmin, Usermin etc. These are all well known ports and has been said there are bots looking for the uninitiated! Stop password authentication on ssh and only connect via ssh keys. Ensure root login is disabled.

There are many other things you can google, but that is where I would start first.

Cheers
Spart

well, that is true only for bots, however new generation bots, will not only try those standard ports, but scan what else ports are open and listen…and same go for humans - they almost 99% always scan all ports open…

first thing to do should be disable ssh password auth and enable only ssh login via ssh keys and deploy fail2ban properly. ssh key auth only will kill all bruteforce instantly, even real human tryings. I never used 2f-auth as not need it and been with virtualmin from very very long time, all safe, did not changed single port. Perhaps safest would be deploy openvpn and keep port 10000 and 20000 behind nat. rest would be taken care with fail2ban.

I read it in telegram groups but also on reddit. If you look for my topic title in google you will get a lot of results about people not recommending exposing webmin to Internet and talking about Perl vulnerabilities.

Thank for the advice, definitely will take a look.

i already have ssh password disabled except for some vhosts people require to connect via sftp to upload files and doing stuff with their websites. Also have fail2ban.
I really dont know the reason why people say that, maybe was a rumor that has spread. I also don’t understand why people say perl is unsecure.

well, perhaps they do not understand, perhaps they do but don’t see your setup or how it should be setup… - don’t worry about rumours etc… go bare metal yourself and you will see :wink:

I use virtualmin past since January 2011 - using webmin since 2009ish? - virtualmin uhm I think I discovered by accident around early 2010 on webmin site… back then I was one of those hooked up on “unlimited” palava rubbish with terrible services and did not know single fart about web stuff except some html - hell you can read my ancient blog post about it here: Hosting-your-site-from-home-or-office.md | « George Suba – My Blog and with years to come I learn a lot as well.

note: - Its ancient post, recently I’ve moved from wordpress to bash and markdown and will blog more very soon, with much more technical stuff :wink: anyway virtualmin/webmin is very safe I can assure you - but you need to think and know what you’re doing. with all mentioned above from folks - I don’t see why would you not use this awesome opensource stuff.

Probably the same people that leave their username as ‘admin’ and their password as ‘password’.

2 Likes

Sorry, I have checked but couldn’t find anything obvious. Can you please share the exact links?

1 Like

Is exposing Virtualmin port 10000 to the Internet safe?
Technically, the answer is no. No system is ever “safe”.
Even the NSA and the Pentagon got hacked.
But whilst we can’t make it 100% safe, we can reduce the risk to almost negligible levels by following best practice. Basically the idea is to make gaining access so hard vs the rewards that hackers go elsewhere LOL

Many good security ideas have already been listed here so I won’t go into detail.
Keep your system patched and up to date. Use strong password & multi-factor authentication. Remove username/password logins. Enable the firewall and limit access etc.

Like many of the other users, I am not a full-blown techie, so this isn’t about being a security guru.
Just do the basics of good server admin right.

I have run many Webmin/Virtualmin for more than 10 years and have never been hacked via port 10000.

1 Like

So, I don’t remember much about the default firewalling of Virtualmin, mostly because we don’t use it. I don’t remember if fail2ban is part of the default configuration or not.

For several years now, we have been running CSF firewall with LFD on all our Internet-facing (Linux) hosts. After learning about CSF, I feel it is dramatically better (easier?) than iptables and fail2ban. I have used many firewall flavors (iptables) and fail2ban in the past, but not any more.

Further, if you have multiple Internet-facing (bastion) hosts, the simple clustering of CSF+LFD is fantastic! This may be the best, most important feature for service providers.

This is a link to some of my CSF+LFD notes:

https://virtualarchitects.com/wiki/doku.php?id=networking:firewall:csf

I can provide more info if needed.

G

2 Likes

SO, to re-cap…

Switch all services to non-standard ports.
Only use keys to login to SSH (and disable password access).
Remove firewalld and fail2ban and install the far superior csf+lfd combo.

You’re done.

People! Listen to sonoracomm! After a few minutes with the csf documentation you will have a firewall that not only automatically bans anyone messing with your server (port scans, floods, failed logins, etc.), but can even ban (at the firewall level) clients which are messing with your server at the application level by watching your ModSecurity’s log output. Real nifty.

This idiot was trying to mess with my Wordpress install this morning. I say idiot (or perhaps bot), because I don’t have Wordpress installed! I have csf setup to ban (for an hour) anyone who tries five or more dodgy “attacks”.

Time:     Thu Apr 29 06:51:10 2021 +0100
IP:       80.194.*.* (GB/United Kingdom/host-80-194-*-*.static.cable.virginmedia.com)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked:  Temporary Block for 3600 seconds [LF_MODSEC]

Log entries:
<snipped>

Anyone who hasn’t at least looked into CSF is doing themselves a disservice.

(note: I added the asterisks, you of course see the full IP address in your emails)

1 Like

I run a Wordpress plugin on all Wordpress sites that limits your login attempts. I set it to three. You miss it three times and you’re locked out for a year.

I do that intentionally. If it’s an actual user that has lost their password I can disable the plugin and reset the lockout so they can request a password reset.

If it isn’t, that bot is locked out for a year.