Related documentation
This is what I do after a clean virtualmin install on a minimal OS install:
1.Disable root login by SSH, instead I use a regular user to login and then “su” for root. I guess you could also use keys.
2.Enable the iptables firewall in webmin to only allow the hosting ports.
3.Install & configure fail2ban, enable it not only for SSH, but PAM, postfix, proftpd, dovecot, perhaps others, in more recent versions there will be a Webmin jail too so you can use that out of the box.
-
Create a Virtual Server with a domain and make sure SSL is enabled as a feature.
-
Get the Let’s Crypt Certificates in “manage SSl” through virtualmin server management. This has the benefit of enabling SSL in those applications…
BUT I always change the protocols and ciphers to something along the lines of: https://cipherli.st/
So that only TLS 1.2 is used.
I think Virtualmin actually enables postfix for ssl v3. Which is insecure.
You can then add HSTS to Apache. (careful though that auto renewal works for the certs and that you are not using self-signed).
You then get the A+ rating on Qualys.
Then you can always run stuff like Nessus & Netsparker to scan for anything you might have missed of known vulnerabilities.
Netsparker can scan your webapps for problems in php and so on.
Thanks for sharing lawk 