Because of the current economy situation I need to cut costs of my hosting services.
I have been testing Virtualmin/Webmin and I am fascinated with this project. Technically speaking, it fulfills all the needs of my business.
I would like to just hear from your opinion, my main doubts are around Security and stability.
Assuming that the IT matters and configuration are correctly set up, how secure and stable do you consider it? Would you recommend it for a production environment hosting 50 domains?
My clients mainly host their websites and use the email services (which I use AWS SES).
Webmin/Virtualmin is the most popular control panel in the hosting world. And I personally transferred a lot of cPanel websites to the Virtualmin and they are running fine for more than 2 years.
We use CSF as a firewall instead of default firewall.
Server hardening is same as you need to do with cPanel server.
Out of the box, for the most users, virtualmin is very good. Its stable, the developers doing an inhuman job (positively speaking) and the security is for the most users already with a good preset.
Personally, I hardened the server even though I still need to do somethings.
For your needs, I would say its pretty damn good. Just make sure to upgrade the packages to the latest available version yourself (if) and take a look into hardening (especially ssl). I would also recommend to use CSF instead of firewalld if you want to max it, but that’s not a must. CSF just got some nice things which makes it attractive to use.
I’ll just mention that Webmin (where the most serious security concerns would be, since everything else is only going to have user-level permissions) has existed roughly as long as cPanel, and has a lot more users/installations (~2 million last time I took the time to add up all of the various Webmin download sources a couple years back, vs. a few hundred thousand for cPanel, think?). I believe our security record is as strong as anything out there, which is to say we’ve had a few problems over the decades of Webmin’s existence (and 15 years of Virtualmin), sometimes serious ones, but so has cPanel, and by and large I think our security record is very competitive with cPanel and better than most of the others.
The cPanel folks are good at what they do and I think they take security seriously (we’ve met most of their developers at Perl conferences), but, we’ve been Open Source and actively maintained for the entire life of the project. Seems like that ought to be worth some security/stability points that cPanel doesn’t get due to being proprietary. I know when I’m making decisions about software that has security or long-term reliability requirements, I choose the more open option whenever possible.
Most security problems come from not staying on top of updates, not using strong passwords, and running services or apps that aren’t being maintained. There’s little we can do about those things, though we do push updates really hard in the dashboard and we support 2FA and password policy settings and strong password hints, as well.
In my experience if someone with knowledge wants to hack you, you are going to get hacked. It’s not going to matter who is hosting what and what control panel you use.
That said, it’s as easy as logging in to Webmin/Virtualmin a couple times a week, seeing if there are updates available, and clicking the button if there are.