I am trying to install virtualmin on a LAMP (Debian Linux, Apache, MySQL, PHP) and use a mail server (postfix, dovecot) and several web sites.
I wish to find out what settings I need for best security.
Is there a list of these settings somewhere?
If not, is there a list of what not to do that could impair the security?
Well, Linux distributions, nor Virtualmin, ships settings that are considered to be insecure by default.
Outside of that, the questions “how to improve security” and “what might impair security” are topics for very large books
If you had anything in particular you were hoping to try, feel free to ask and we can discuss whether it’s a security problem
I couldn’t have expressed it better than Eric. To “books”, you might add “myriads of websites” and “highly paid firms offering security audits”.
For starters, to get an inherently secure system, it’s recommended to use a Grade-A supported OS, installing no packages besides SSH, and using the Virtualmin installer script to get your web hosting software in place. Virtualmin configures the services, as securely as you can get without being an employee at one of the aforementioned firms.
Most security issues come from buggy or incorrectly configured web software, and not from the services itself.
So should I assume that virtualmin on its own always installs/configures applications/services for optimum security in mind?
Or are there so many options that choosing some combinations might make the web server unsecured?
They try of course. But a good example is VM 3.97 which fixed major security issues a few days ago that have existed in Virtualmin for a long time
For optimum security it is always a good idea to go through some security/hardening check lists
Unless you have only one site on your system, I guess. If you need more than one site, then probably Virtualization offers the best protection (I use OpenVZ). However there is some overhead.
Right now I rent a dedicated server so do you think that the link you gave me could help me anyway?
A few items which rank high on my list of security measures include, “firewall hardening”, “disabling FTP (and other services not used) in favour of SFTP”, “disabling password authentication for root”, and installing a good “intrusion detection system”.
We have been using OSSEC for our primary OS-level intrusion detection system for a few years now, and it has saved us sleepless nights because of it’s highly customizable ruleset, and the proactive measures it takes against hackers and other malicious activity. OSSEC also if configured will send out an email to you including all items which may be a security threat, or that you should know about including login attempts, file changes, etc.
When you consider what OSSEC and similar software does, it makes administrating lots of machines less of a headache, and increases uptime by pointing out threats, and taking proactive measures.
Hope this information helps!
Oh right, security software. I personally use the following on my hosting systems:
Watches, among lots of other things, logs for login failures and blocks the offending IP via iptables. Also watches for modified system files, can detect port floods, use blacklists to block known hacker nets, limit connection count per source IP, and other stuff.
Scan configurable log files and reports all lines it doesn’t know (configurable via regular expressions, comes with a pre-made set of rules) via email
Linux Malware Detect, a malware scanner specifically for bad web software. Uses the ClamAV engine for scanning.
If you haven’t already, you also look over at: http://www.ossec.net
Yepperz, I took a look at the OSSEC website, and it sounds quite nice.
Mmh, might it be possible to take a look at a live installation of OSSEC? I like to test new stuff, but before I replace my whole LFD/Logwatch setup with something new, I’d really like to see if it does anything better than what I’m using now. Unfortunately, OSSEC does not seem to have a demo installation, and not even screenshots.
Honestly, I think it’s a bit hard to test security software of this sort, as you’d have to be doing bad things to see it in action.
There is a web interface you can optionally install, but this is just for reports and not intended though possible to view from a web facing address.
Honestly, I’ve not read up on the solutions you’re using, so I couldn’t really comment on whether it’s better or not. It’s likely that your solution if it works, is fine but this is just the solution I personally use.
Thanks for all the suggestions.
It would seem that security suggestions is more on the server side than the virtualmin side.
I was hoping to get some pointers on the settings for virtualmin itself since there are quite a lot of options in the software.
One other thing was a safe way to access virtualmin remotely:
Is it safer to open a port with a direct access to virtualmin (I did not like the idea of a root access from remote)
OR to enable remote graphic access to the server and use virtualmin only ‘locally’. This could allow me to disable remote root access and switch it on using ‘su’. The idea is to prevent brute force attack on the root user.
Remote graphics access on an Internet-facing server: No go.
My suggestion would be: First, turn off “root login with password” in SSH. Set it to “with RSA key only”. That will prevent brute force attacks on the root account, because no brute force attack in this world can work out an RSA key (of sufficient length).
In Virtualmin, you’d still use the root user and their regular password (make it securely long). Brute-force attacks on Webmin are very rare, since it’s by far not as widespread as SSH.
If you want extra security, set up a VPN (OpenVPN suggested) and open port 22 and 10000 only for VPN connections.
Is there a vnc (remote graphic access) way of accessing a lamp server in a secured way though a SSH tunnel?
Are there some major reasons for not using remote graphic?
I’ve been acustomed to my windows 2000 web server for many years and found it very convenient to access it using remote desktop.
Virtualmin makes a GUI obsolete IMHO.
But there are at least two reasons:
- Gigantic waste of resources
- Security: you increase the # attack vectors by magnitudes
But if your server is just a hobby and your server is too big anyway, then why not
(and regarding vnc via tunnel, search the web, there are problably thousand tutorials)
Although you are probably right, I am just wondering why:
•Gigantic waste of resources
Is it not just sending a few bytes of data (cursor, mouse tracking) a few times per second and a larger chunk (when part of the screen changes). To me it sounds not much more than serving a graphic web site to an active user.
Also since >15 years ago this was easily accomplished by old PCs (e.g. pentium 100mhz) I am guessing that with a recent PC this would be proportionally easier.
•Security: you increase the # attack vectors by magnitudes
Again I would have thought that enabling only one port for VNC access (that would replace the virtualmin/webmin port) would have similar security issues.
did you check OSSEC? If yes, are you using it?
To mitigate the brute force of Virtualmin using the root user, you could make sure you tighten the host blocking options:
Webmin > Webmin Configuration > Authentication
I would leave “Block users with more than” and “Lock users with failed logins” otherwise you might get locked out of root access as I am not aware of any white listing option. Perhaps turn up the time a host is blocked for invalid login attempts? You could also change the port that is used to access Virtualmin but that isn’t really security (in my opinion, security through obscurity doesn’t do much except slow down a determined attacker).
Just my opinion