Security

I have read a key component of security is to run only the services that you require. My server is running CentOS and has some interesting services running by default. Some I obviously need, but there are others i’m not sure about.

Here’s a list of questionable services:

acpid - Listen and dispatch ACPI events from the kernel
apmd - apmd is used for monitoring battery status and logging it via syslog(8). It can also be used for shutting down the machine when the battery is low.
arptables_jf - Automates a packet filtering firewall with arptables.
atd - Runs commands scheduled by the at command at the time specified when at was run, and runs batch commands when the load average is low enough.
canna - Canna Japanese Conversion Engine
haldaemon - a daemon for collecting and maintaing information about hardware from several sources. See http://www.freedesktop.org/Software/hal
iiim - a major component of IIIMSF.
irqbalance - The irqbalance daemon will distribute interrupts across the cpus on a multiprocessor system with the purpose of spreading the load. processname: irqbalance
isdn - start and stop ISDN services
lookup-domain - Daemon for quickly looking up Virtualmin servers from procmail
messagebus - This is a daemon which broadcasts notifications of system events and other messages. See http://www.freedesktop.org/software/dbus/
microcode_ctl - script to apply cpu microcode
netfs - Mounts and unmounts all Network File System (NFS), SMB/CIFS (Lan Manager/Windows), and NCP (NetWare) mount points.
openibd - Activates/Deactivates InfiniBand Subnet Manager
pcmcia - PCMCIA support is usually to support things like ethernet and modems in laptops. It won’t get started unless configured so it is safe to have it installed on machines that don’t need it.
portmap - The portmapper manages RPC connections, which are used by protocols such as NFS and NIS. The portmap server must be running on machines which act as servers for protocols which make use of the RPC mechanism.
rawdevices - This scripts assignes raw devices to block devices (such as hard drive partitions). This is for the use of applications such as Oracle. You can set up the raw device to block device mapping by editing the file /etc/sysconfig/rawdevices. Note that the use of raw devices is deprecated, and applications should open regular block devices with O_DIRECT instead.
rpcgssd - Starts user-level daemon that manages RPCSEC GSS contexts for the NFSv4 client.
rpcidmapd - Starts user-level daemon for NFSv4 that maps user names to UID and GID numbers.
saslauthd - saslauthd is a server process which handles plaintext authentication requests on behalf of the cyrus-sasl library.
smartd - Self Monitoring and Reporting Technology (SMART) Daemon
xfs - Starts and stops the X Font Server at boot time and shutdown. It also takes care of (re-)generating font lists.

Can someone give me the lowdown on which are required to operate a typical LAMP server.

Thanks.

im sure you were hacked within 5min of server uptime

So, here’s an answer to my own question.

After installing Virtualmin pro it is important to lock down your server. Though its true that Webmin and Virtualmin are secure web applications i believe it is important to point out that installing virtualmin pro does change any configurations on your server to make it more secure.

Here are some things that must be done

  1. setup iptables. You can add/edit rules using webmin. Look under Networking/Linux Firewall. However, i found it easier to use the iptables-save and iptables-restore commands from the command line. Having to use a web form to add a bunch of rules is a pain.

  2. turn off services/daemons you don’t need. Look in webmin/System/Bootup and Shutdown. This tool provides a simple interface to start/stop/enable/disable services on your server. Although, I have found it difficult to find a reference regarding which services are essentially to run a lean LAMP web application server. Some of the descriptions are helpful, but for example what is iiim?

  3. probably makes sense to create a new user and not log into virtualmin as root. Also, should probably limit access to webmin port 10000 to a specific IP using iptables.

  4. to lock down a directory use webmin/Others/Protected Web Directories. Use this if you install phpMyAdmin and you want to secure your phpMyAdmin directory. However, I found using the MySQL management tools in webmin/Servers/MySQL Database Server just as easy as phpMyAdmin and likely more secure to boot.

Hey Lorne,

First, when I actually tried to use the MySQL management tools I was surprised to find that you couldn’t execute multiple SQL commands in the same POST. So, if you had a data dump from phpMyAdmin and then tried to submit it using the webmin interface you get an error.

I’ve never seen this behavior (but then I’ve never done a dump via phpMyAdmin), but it sounds like a bug (either in the Webmin MySQL module or phpMyAdmin). Any dump I’ve ever done from the command line or via the Webmin module has imported without incident. If there’s a bug in Webmin’s module, we’ll fix it. Would you mind filing a bug about it with the steps needed to reproduce the error?

Another option for security of phpMyAdmin is to set it up to only allow access to localhost, and view it through Webmin and a custom link. This is an idea I’ve been thinking on since we do plan to add automatic setup of a “default domain” at some point in the future that has Squirrel and phpMyAdmin pre-installed (and possibly creates aliases for all new domains to point to them on squirrel.domain.tld and phpmyadmin.domain.tld, or similar).

Hey Lorne,
I’ve never had any trouble with loading phpmyadmin data dumps into webmin MySQL outside of MyISAM incompatablilities duw to making the wrong selection when I did the dump.

I’ve pasted small dumps right into the textbox and executed or better just executed the textfile as an upload from my PC. I just didn’t like the idea of access to the databases being open to the public, in spite of htaccess. Webmin’s manipulation functions are pretty powerful and straightforward. Maybe not as pretty, but who’s on a sightseeing tour at that point anyway :wink:

Just my 2 cents.

Thanks Dan good tip. Didn’t realize MyISAM could cause problems. I’ll have to read up on that.

And, I agree I would rather use the Webmin MySQL interface b/c of the security benefits, it’s just unfamiliar. Every other server control panel that I have used (Ensim, Plesk) implements phpMyAdmin as the interface to MySQL. Not necessarily the right solution, but one I’ve come to expect.

For me, coming to virtualmin from those 2 applications I was expecting the webmin MySQL interface to use phpMyAdmin. (Of course, this would require a dependency on php and also on an external 3rd party application. So, I can understand why it was implemented differently). Thus, when i found a different interface I of course wanted it to work the same as phpMyAdmin … human nature I guess.

Of course, I want virtualmin to work in way that is easiest for me. Thus,

  1. I want to be able replace the default webmin MySQL interface with an application of my choice (ie phpMyAdmin). If application of my choice is inferior to the default app then tell me so and i’ll read about it.

  2. If i can’t replace default app then I want it to be compatible with application of my choice (ie phpMyAdmin).

  3. If it’s not compatible then tell me how its different and provide simple instructions for doing common tasks. For example, "When you dump a database from phpMyAdmin and then want to import it into webmin make sure you do the following … "

Maybe this is a lot to ask, but I’m just trying to provide feedback from the perspective of a consumer.

Hey Lorne,

Your feedback is greatly appreciated. You’re not alone. We’ve had quite a few users who prefer phpMyAdmin to the Webmin MySQL module. And that’s OK with us. We plan to keep working to make the Webmin module as good as it can possibly be, but we’re also working out how to safely include phpMyAdmin in the default installation. It’s definitely on the agenda.

1. I want to be able replace the default webmin MySQL interface with an application of my choice (ie phpMyAdmin). If application of my choice is inferior to the default app then tell me so and i’ll read about it.

We don’t think there’s anything wrong with phpMyAdmin–it’s a great tool, and it’s what many users are familiar with. We’re not going to tell you to re-learn something that you already know how to do. :wink:

I happen to prefer the Webmin MySQL and PostgreSQL modules, but that’s at least partially because they’re what I’m familiar with.

2. If i can’t replace default app then I want it to be compatible with application of my choice (ie phpMyAdmin).

No need to replace it. They aren’t mutually exclusive. Just like you can have Webalizer and AWStats, you can also have Webmin MySQL and phpMyAdmin running on the same system. You can even use them simultaneously on the same database (unless phpMyAdmin does anything nasty, which I doubt that it does).

3. If it’s not compatible then tell me how its different and provide simple instructions for doing common tasks. For example, "When you dump a database from phpMyAdmin and then want to import it into webmin make sure you do the following … "

We don’t know of any special requirements for imports–it’s always worked for me. If we can reproduce the problem you had, we can fix it, so no special instructions are required.

Maybe this is a lot to ask, but I’m just trying to provide feedback from the perspective of a consumer.

Not at all. We’re glad to hear it.

Server security is ALWAYS the responsibility of the server owner/operator, jut like it is the owner’s responsibility to update any installed applications and apply necessary security patches.

Virtualmin might set some security settings upon installation, but I am positive that here, just like with many other applications, it is at its defaults or a minimum. That is â

First, when I actually tried to use the MySQL management tools I was surprised to find that you couldn’t execute multiple SQL commands in the same POST. So, if you had a data dump from phpMyAdmin and then tried to submit it using the webmin interface you get an error. Long and short phpMyAdmin IMHO is a requirement when setting up a LAMP web application server.

To lock down phpMyAdmin is added some directives to my default Server Template for Apache. Specifically, the following:

Directory ${HOME}/public_html/phpmyadmin>
Order allow,deny
Deny from all
Directory>

This stops all access on port 80. Next, you have to manually edit your httpd.conf file so, you can add different directives for port 443 because there is no way to set up different Apache directives for port 80 and port 443 in virtualmin.

Here’s what I added:

Directory /home/macaweb.com/public_html/phpmyadmin>
AllowOverride AuthConfig
AuthName "Please login"
AuthType Basic
AuthUserFile /home/macaweb.com/.htpasswd
AuthGroupFile /dev/null
require user phpmyadmin
Directory>

This forces browser to Authenticate all users with username/password info in .htpasswd file. Make sure .htpasswd isn’t in public_html. see google for more on htpasswd.

On a server that hosts multiple domains it would be nice to have just one shared instance of phpMyAdmin that all domains can access. Haven’t spent the time to figure this one out… yet.

First, when I actually tried to use the MySQL management tools I was surprised to find that you couldn’t execute multiple SQL commands in the same POST. So, if you had a data dump from phpMyAdmin and then tried to submit it using the webmin interface you get an error. Long and short phpMyAdmin IMHO is a requirement when setting up a LAMP web application server.

To lock down phpMyAdmin is added some directives to my default Server Template for Apache. Specifically, the following:

Directory ${HOME}/public_html/phpmyadmin>
Order allow,deny
Deny from all
Directory>

This stops all access on port 80. Next, you have to manually edit your httpd.conf file so, you can add different directives for port 443 because there is no way to set up different Apache directives for port 80 and port 443 in virtualmin.

Here’s what I added:

Directory /home/macaweb.com/public_html/phpmyadmin>
AllowOverride AuthConfig
AuthName "Please login"
AuthType Basic
AuthUserFile /home/macaweb.com/.htpasswd
AuthGroupFile /dev/null
require user phpmyadmin
Directory>

This forces browser to Authenticate all users with username/password info in .htpasswd file. Make sure .htpasswd isn’t in public_html. see google for more on htpasswd.

On a server that hosts multiple domains it would be nice to have just one shared instance of phpMyAdmin that all domains can access. Haven’t spent the time to figure this one out… yet.

First, when I actually tried to use the MySQL management tools I was surprised to find that you couldn’t execute multiple SQL commands in the same POST. So, if you had a data dump from phpMyAdmin and then tried to submit it using the webmin interface you get an error. Long and short phpMyAdmin IMHO is a requirement when setting up a LAMP web application server.

To lock down phpMyAdmin is added some directives to my default Server Template for Apache. Specifically, the following:

Directory ${HOME}/public_html/phpmyadmin>
Order allow,deny
Deny from all
Directory>

This stops all access on port 80. Next, you have to manually edit your httpd.conf file so, you can add different directives for port 443 because there is no way to set up different Apache directives for port 80 and port 443 in virtualmin.

Here’s what I added:

Directory /home/macaweb.com/public_html/phpmyadmin>
AllowOverride AuthConfig
AuthName "Please login"
AuthType Basic
AuthUserFile /home/macaweb.com/.htpasswd
AuthGroupFile /dev/null
require user phpmyadmin
Directory>

This forces browser to Authenticate all users with username/password info in .htpasswd file. Make sure .htpasswd isn’t in public_html. see google for more on htpasswd.

On a server that hosts multiple domains it would be nice to have just one shared instance of phpMyAdmin that all domains can access. Haven’t spent the time to figure this one out… yet.