Is the default installation of virtualmin safe to start working with the server?

Hello, this is my first post in the virtualmin forum.

I hope you are doing well.

The first doubt I have about it, is: after successfully installing Virtualmin, is it necessary to make certain configurations for the server to work stably and securely?

What I mean is if I have to make firewall configurations or some other service before I start creating virtual servers for my web sites.

Or if by default, virtualmin is installed with the proper security settings.

Thank you in advance for your attention and support. Best regards.

As far as security goes I mean a lot of that rests on you. But virtualmin/usermin are highly configurable to ensure security to some degree as always you should have a decent router at the edge with firewall and knowledge of how to secure it as well. And if you are hosting personal data well you might wanna immerse yourself in some reading for a couple of months to a year at least on and off. But virtualmin is great software by default never assume something setup is secure that’s mistake number 1. Depending on your setup bare metal or hosting there is a different feel to “security” at least in my mind I’d rather not have allow all ip’s on for instance but if you are making a remote connection that might be a requirement then if you use wordpress and other things there is always room for exploit there so in general security is a constant battle there is nothing that is “secure” there is just the feeling of being secure and knowing you’ve done the best you can to secure your system which may still not be enough. I typically keep up to date with security threats online spend a lot of time reading and get notifications on my phone about different events.

But for the most part yes it works but yeah get it use it tighten up the security as tight as you’d like but no matter the software don’t assume it’s secure.

Hello forlotto! Thank you very much for your answer, it has helped me a lot to put my feet on the ground regarding the “sense of security”.

I’m going to take it easy and I’ll go little by little advancing in the topic of server administration.

Thanks again, best regards.

Well I’m glad I could help I’ve used virtualmin for 3 years and its been secure there has been thousands of attempts at breaking the security each one a new IP blocked. And thats after blocking over a million from the get. I also tend to hide login areas and such to make things a little more difficult as well when possible like don’t use default wp-admin location.

Are IPs automatically blocked by virtualmin, or do you do it manually? When you say you hide the login area, do you mean the virtualmin/webmin login or just the wordpress login area?

Thank you very much for your answers.

Wordpress for different login. As far as IP’s if you look in webmin you can whitelist specific IP’s to have access to the interface for instance if you have a static IP set for the computer that you are going to do all of your configuring from you can set that as the only PC that can access the webmin interface but you may wish to or need to include more or even include all of the IP’s in your network. For instance. However if you are on a host you may not have the same luxury because your ISP may switch up your external IP and then you would be SOL if you allowed just your IP to manage the system for instance. For me I know I have one static IP I’ll manage everything from on my LAN so that’s how I limit access to the webmin interface and only add IP’s as needed basic whitelisting practice more or less to help harden things a bit more is all. Now blocking IP’s is something you’ll have to do as time goes on there are blocklists out there but they typically only cover the worst apples. Personally though you’ll find that all hosting companies should be blocked as oddly that is what hackers love to use they SSH into a system likely from some VPN with a TOR exit node to mask them then they begin tooling around looking for some angles. Amazon hosts a lot of these hackers as does err colocrossing I think err can’t remember the name but it is something along that line as does microsoft and other hosting companies. Personally what I host is meant for local folks so I typically block IP’s from turkey, russia, tiwan china and so forth I really don’t have a need nor does anyone else for non local US business connection. So I kind of toe the line there and just block countries more or less. Yeah there are other things but can’t say I can teach you any faster than watching a bunch of youtube videos on basic or best security practices.

@forlotto has given really good advice. I have listed a couple I think are important.
Become familiar with Fail2ban. With Fail2ban I like to enable [recidive] and shorten matches of other active jails. In my default config [recidive] is already set to banaction = %(banaction_allports)s so I don’t mind the jails that feed the log file having whatever ports they are default to. Since [recidive] is for repeat offenders I extend the bantime in that jail. Set IP addresses to never ban to avoid locking yourself out.

When I check the fail2ban log if someone is playing with lots of ports and an ip range it’s obvious and I’ll check their location and add a --permanent drop for that range to firewallid.

Screenshot 2023-05-03 at 10.12.04 AM1648×1058 72.8 KB

It’s a good idea to create a user with sudo privileges to use then disable login as root in Webmin > Servers > SSH Server > Authentication

Screenshot 2023-11-23 at 12.00.50 PM1740×770 119 KB

@popmay yeah I think this is a useful discussion the security and hardening I guess is a learned thing its not discussed that often.

Also once running a website it becomes easier to log page visits via different tools, plugins, or methods as well so you can see who is sketchy for instance they might be trying to see if you have a specific plugin lets say that is able to be exploited. Its best to limit the amount of plugins you use in WordPress for this reason. I literally believe that sometimes plugins are developed for free with the end goal of providing a security hole “accidentally of course ;)” now as to how often this holds true I really don’t know. I recall browser plugins that were sold that were used by millions of users and people placed blobs of code on the github in updates to hide what was happening and for several versions such a thing persisted unknown essentially. The same has happened with word press be it on purpose or by accident. Certain things like frames and such are risky the reason why Wordpress does not include a lot of the features offered in plugins is because it is risky so in general when you do install a plugin its important to know these things even if its a “security plugin”. The other target is often log files they are able to steal credentials via log files and analytic tool logs.

Indeed very much to learn as far as security goes I still have things to learn school is always in session for me.

But popmay thanks for chiming in it is exciting to see that people are willing to take time to give advice like this much appreciated and its needed.

The security problems that bite people in 99% of cases have nothing to do with Virtualmin or any of the services it manages. They are:

1. Out of date software. If you aren’t regularly updating your systems, you are probably vulnerable to known exploits.
2. Weak/re-used passwords.
3. Random apps and plugins with no security or maintenance history to judge them by. This is not merely a problem in PHP or WordPress land. The Node JS ecosystem makes it wildly easy to pull in thousands of unaudited dependencies…and developers do it without even thinking about it.

This question is almost always coming at it from the wrong end of the problem: Security is not a feature or product, it’s a process.

That said, tools can help. Virtualmin provides 2FA (if you enable/use it), brute-force protection for everything in the stack (even for services that don’t have it by default, we setup fail2ban), password policy (if you choose to use it), indicators for when your passwords are strong (or you can randomly generate a strong password), and it shows you available system updates every time you login and provides a UI for upgrading, either selectively or all at once, easily. Virtualmin also sets up a default firewall that prohibits all but itself and the services it manages and ssh, and you can customize is as you need. A firewall by itself is of almost not use in a web hosting system (after all, the ports you need have to be open, and the ports you don’t need shouldn’t have services running on them! and a web server should not be routing, in the general case), but with fail2ban or similar active monitoring tool, it can help prevent some kinds of attack…or, at the very least keep your access logs less busy with brute force attacks, so you can more readily spot other problems.

Virtualmin can’t protect you against web apps that have security bugs, which is the biggest source of exploit on a Virtualmin system. But, it can protect you against that user being able to do (much of) anything to other users or the system itself. By default Virtualmin runs web apps as the user that owns the domain; if their web app is exploited, the attacker can only access that users files and databases, not much of anything else. An attacker could potentially DoS the system or send spam as the user they’ve taken over.

And, in terms of security bugs in Virtualmin/Webmin itself, our security history is public and pretty good, certainly competitive with the best web hosting control panels and miles ahead of the worst (I don’t actively track cPanel or Plesk, but when they have big security bugs it comes to my attention, and it happens to them sometimes, just like it has occasionally happened to us). Actively maintained software is a big part of security, and we’ve been actively maintaining these projects for about 20 (Virtualmin) and 25 years (Webmin). There are new releases regularly, and they get a lot of security researcher attention because they’re so widely used and have such a high potential (they perform many actions as root, by necessity, Webmin is a juicy target).

Also, the software we’ve selected to install and configure as part of the default installation (Apache or nginx, Postfix, Mariadb, Dovecot, Firewalld, Fail2ban, ClamAV, etc.) is also good on all these counts. Security and active maintenance was a big consideration, moreso than features or cutting edge tech (most of our users don’t need amazing performance or infinite scalability…and many are going to be very casual/lazy about updates and security, so we lean toward old, popular, well-documented, easy to configure, and proven over the new hotness). If it’s not in the standard OS repos for all of our supported OSes, we’re inclined to find an alternative, though there are a few exceptions because RHEL has a pretty small standard OS repo, so we also allow EPEL packages into the mix (for ProFTPd, ClamAV, and a couple of others).

Our defaults are suitable for most shared hosting systems with reasonably trusted users. i.e., if you know who your customers are, they’ve agreed to terms of service and provide billing details, they are probably not going to try to exploit the system with DoS and spam and such (and if they do, you have non-technical remedies, like canceling their service and banning them from using your service in the future). You should not offer a default Virtualmin system domain account to completely untrusted users, though (i.e. don’t try to run a “free hosting” service, where anyone with an email address can sign up, with Virtualmin in its default configuration). That’d be utterly insane.

Obviously, single web developer or in-house development teams can use Virtualmin in its default config and may even find allowing domain owners more privileges (e.g. the ability to directly edit service configuration, etc.) is reasonable. Webmin is kinda unique in this space for allowing fine-grained delegation of root-level tasks, but that only comes up with users in a trusting environment, like a bunch of employees in the same organization sharing hosting systems.

Wow nice post very helpful!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.