I am new to Virtualmin and I come from cPanel and CWP. I was using mod_security for many years. Now I can not locate such a function but I see many other apps at the Networking area.
I am now going to transfer my first wordpress, opencart and Joomla sites. Is there anything that I have to do for security? Or Virtualmin rocks from the scratch of the setup?
|CentOS Linux 7.9.2009
mod_security is not related to network configuration. But, there is not mod_security GUI in Virtualmin.
Nothing stops you from enabling it, though. It’s a one-time thing; just install the package and turn it on (and configure it to use the rule sets you want to use, like the OWASP rules). mod_security is of marginal utility in a system that is well-maintained, but can be useful if you have old apps. mod_security is almost entirely a reactive solution; the rules are mostly based on past attacks, which have usually already been fixed in the software the attacks target. But, since most people aren’t very good at staying up to date, I’ve come around to thinking mod_security is pretty useful, and we’ll be adding it as a Pro feature in Virtualmin 8.
I personally like CSF with some pretty tight lfd settings; but the default firewall settings in most Linux distros, plus fail2ban (installed by default with Virtualmin), provide decent security.
If you decide to install and enable ModSec, be careful with the rule sets as regards your payment gateways. The developer of my invoicing software and I wasted two days after an update trying to figure out what was causing the Stripe payment plugin to error out after every charge was processed. It turned out that cPanel’s default rule set for ModSec was killing the Stripe script after the payments had been processed by Stripe, and dumping the users on an error page rather than the confirmation page.
I just disabled ModSec and never bothered with it again. I never had a whole lot of confidence in it anyway. But if you do choose to use it, I suggest testing all your carts and payment gateways to make sure they work, and doing it again after updates.
By the way, ModSec is an Apache module, not a network firewall.
Yeah, I think it’s worth being clear that mod_security is what is often referred to as a “web application firewall”, but it does not operate at the same layer of the network stack as a traditional firewall. You should not group the two concepts together when discussing what you need to address a given threat model, and there is almost no overlap in what a network firewall can prevent vs what a web application firewall can prevent.
Firewalls are one thing, and Virtualmin sets up a basic Firewalld firewall for you and provides a GUI for it, so you can add whatever additional rules you like. That is wholly orthogonal to mod_security, which is a layer 7 rule-based tool for preventing some kinds of web application attacks.
Firewalls (like Firewalld or CSF) are of limited utility in a server environment. Tools that actively monitor behavior and add rules (like Fail2ban, which Virtualmin includes and has a GUI for, or sshguard or I think CSF has its own similar thing) based on things that look like attacks are very useful, though.
Web application firewalls (like mod_security) are also of limited utility in an up-to-date well-maintained system.
Yep. In CSF it’s called
lfd, for login failure daemon. It’s pretty similar in function to
fail2ban, which is why I don’t bother enabling both on the same server.
lfd can block individual IP’s or ranges based on user-determined criteria, for user-specified lengths of time. It can also convert persistent offenders from tempblock to permblock; execute external scripts to create block reports or unblock reports; notify the admin of failed and/or successful SSH logins, Webmin logins, and
sudo elevations; and perform many, many other security functions.
All of those are in addition to the basic security provided by the main
csf application, which includes functions like process tracking, system file integrity checking, mail volume monitoring, blocking based on public RBL’s, and a bazillion other user-configurable security functions. It’s a firewall, but it’s also much more.
I updated PHP 8.1 on six servers today (five production and one dev); and within a few minutes I received six emails and six text messages from CSF warning me that the files had changed. It also can inform root when users upload root-defined kinds of scripts, such as any script that sends mail; or when a user is sending out more mail in a given time period than some number specified by root.
It really is comprehensive.
It does take some time to learn if you want to maximize its usefulness. It also requires some version of
syslog. I usually use
syslog-ng will also work.
Thank you so much for your replies. So, if I got it, lets say that I am publishing only new and frequently updated website/eshops like wordpress, opencart and prestashop.
I am asking especially the old masters of Virtualmin: At my fresh installation of Virtualmin/Networking a) is there any custom or other installation of security module/application that I have to accomplish? OR b) a I am secure with that initial setup? Thanks again.
On a new Virtualmin system:
configure mail rate limiting to limit damage that can be done by spammers who gain unauthorised access to user accounts
configure fail2ban to thwart brute force attacks
use only php-fpm as execution mode on all virtual servers to keep the system isolated from virtual servers that will be compromised
That’s about it.
Edit: Virtualmin 7 offers several security enhancements. Someone should highlight these.
Nobody is ever secure. The internet is an evolving threat.
are you using key based logins (only) for SSH? First things I do when I create a VM.
Thanks for that. Do you have tutorials for each one please how to accomplish?
Life is also insecure. I mentioned that I come from cPanel, CWP and they offer some presetup with firewall and/or mod_security For example CWP PRO offers mod_security with automated updates and automatic rules for wordpress, joomla etc
I now have installed Virtualmin Pro. And I ask do I have to make some security essentials before publish an updated wordpress website?