Security hardening

Ok, so this would be a super-huge update :slight_smile:

but it might be necessary, so there’s a tool:

which performs dozen of security checks on linux systems, and gives recomemndations.

My suggestion is to try to align virtualmin with those suggestions.

I like the statement

We believe software should be simple , updated on a regular basis , and open .

but then most of it looks pretty old. is the best they can claim in “media and awards” something in 2016? (I can claim an award in 1972 does that still have any relevance today?)

Not objecting to what you or anyone choses to add to your system but I do not think it needs incorporating in Virtualmin.

I’m pretty sure the principles are already adopted.

@Stegan it’s nice that you have opinion… Based on what exactly are you pretty sure? Unlike you who gives opinion without anything except reading marketing statements. I have installed and run lynis, because I am now recovering from TCP SYNFLOOD ATTACK done via IPv6 … And I can tell that neiter fail2ban works by default, also if we are going to give opinions like your “pretty sure”, I am pretty sure that additional security is never enough…

Also your statement about “something in 2016” is not good, because what’s important is database of defintions which is regularly updated lynis/db at master · CISOfy/lynis · GitHub

I found that out so I no longer use fail2ban and coded my own replacement for it, which does ban ipv6 addresses out of the box if they act up, and sort of integrates with the webmin iptables modules ( both v4 and v6) since then I have had no problems. Sorry to go off topic

1 Like

Well it works once you modify just replace
banaction = firewallcmd-ipset

with

banaction = iptables-multiport

in /etc/fail2ban/jail.d/00-firewalld.conf …

FYI @Stegan this is one of examples of principles maybe adopted but not working…

yes that is what I was worried about!
what determins a post on here as spammy?
I would say “anything that promotes a third party” without a clear disclaimer

but I skipped the Flag button as I could find little positive to support that

Is on the home page so it must be something they see at important.

If, as you say, the database updates are important, perhaps that should carry the same emphasis as the updated on a regular basis

I’m still fine with the suggestion as an add-on (optional of course)

I’m sure we could all try to justify the creation of a dedicated team to concentrate on security. but how many of us are capable or even need the investment.

In terms of Virtualmin, this is a solution looking for a problem. Your distro of choice takes care the basics for you. WM/VM helps put it together as a server for you. HIPPA? SERIOUSLY? Each admin may need to take additional steps depending on their deployment, but imposing this on everyone is onerous at best.

1 Like

firewallcmd is too slow it takes half an hour or longer to restore the bans on a reboot, I would prefer that that to be near instant, which IPtables is able to do, so perhaps fail2ban & firewallcmd don’t play nicely

You have to be specific. As far as I know fail2ban does work by default. If it doesn’t we need to know what OS and what service(s) are having a problem. We try to fix problems when we know about them. (In a new topic, of course.)

That’s a solid tool—adds real value. Would love to see Virtualmin align with its recommendations for better out-of-the-box hardening.

This is open source software. Anyone is free to make SPECIFIC recommendations. As it is you are dumping basically the whole burden on the, mostly, volunteer staff.

To be fair it ignores ipv6 attempts if you use iptables rather than firewalld as the banning agent, as i dont like the firewalld interface within webmin or their cli I went with iptables which the webmin interface is good and so is the cli.
Failed on Ubuntu 20.04, 22.04 and 24.04. It would be nice if fail2ban actually banned ipv6 addresses when using iptables

Virtualmin does have some good recommendations here - PCI Compliance | Virtualmin — Open Source Web Hosting Control Panel

Keeping things up to date is a tricky problem due to the ever changing nature of security threats.

Perhaps an option on the setup Wizard to apply some of the recommendations from that article would be useful?

Or, apply them by default (but perhaps that’s an OS responsibility?) and have an article on how to make your system less secure if you need to support users running outdated software.

1 Like

WM/VM simply must draw the line somewhere. The goal is to give the system administrator a HUGE helping hand. For Webmin, that is adding a GUI to help administrate a server(s). For Virtualmin it is using your OS of choice to quickly stand up a web/mail server in an integrated fashion. It IS NOT a system administrator replacement.

Given the amount of folks that stop by that seem to have a decent coding ability, I’ve always been baffled by how little give back there is to the code base. The best I can do with my coding ability is to NOT muck up the code base with mine. :wink: