“Having separate users isnt’ going to give me anymore security if someone gets into my root directory. Unless I am missing something, I can’t see where having a separate user name for each domain will stop a brute force attack.”
Yes, you’re missing something!
Virtuamin sets up each new website account to run asa new user, using suexec. This means that a compromise of one website does not compromise others. This separation does not apply to sub-servers or aliases (which are owned by the same user). The practice you’re describing is old school thinking, and dangerous. Sites in /var/www would all be run under the Apache user (unless you explicitly set it up with suexec for each application and a different user for each), meaning that any compromise of one website would compromise all websites (and databases, etc.). You should be able to set up your FTP client (or ssh client) to use certificates, so you can login as multiple users easily. You could certainly configure Virtualmin to do what you describe, but it is dangerous, and I can’t recommend it. We’ve been at this for a long time; and while we’re not perfect, the way Virtualmin sets up and (somewhat) isolates each new domain account has been developed over more than a decade, and borrowed from industry best practices along the way. Running a bunch of different things as the same user would be a mistake. We do understand that Virtualmin is intimidating on first use; I’d love to strip it down, but our power users would hate us. There’s an incredible amount of power and flexibility in Virtualmin. I would encourage you to spend some time with it, before deciding we’re doing everything wrong, because it’s not what you’re used to. We’re all still learning, but we’ve got more experience in this field than most (and we have about 100,000 users who rely on Virtualmin for their web host management). There are many tools for helping you manage deployment across multiple accounts and hosts. Depending on what languages and frameworks or applications you use, there may be tools specifically for deployment. Many folks like to push sites to version control and then check them out on the server when ready for production (and this can be automated with a wide variety of tools). Virtualmin can help you manage git or subversion repositories for this sort of thing. If you’ve got a lot of sites, automation is the right way forward, not stripping away security features.
You arent doing anything wrong. To the contrary. And for someone who uses CSF, IPtables, and mod_sec…I would never suggest stripping away security. All I am saying is this:
Your free version has probably 75% of never used features by 50-75% of its users. If it doesn’t, then it will in the years to come as more and more webmasters flip off the webhosting companies and go running to DigitalOcean, linode etc. For sure, there are features highly sought after by very talented individuals. But those highly skilled individuals are most likely the same that frown whenever they hear the word GUI. You can strip away alot of bells and whistles without compromising security for your day to day webmasters who want independence. Then make those bells and whistles a premium.
Your menu system is very extensive, maybe too extensive. I have watched countless instructional videos about virtualmin over the past 2 days. All of them struggled to find what they were looking for. Check it out for yourself and you will see what I mean.
Right now I am using centosCWP. Love it…but it is outdated. Not compatible with anything but centos 6.5 and apache 2.2 Creating databases, db users, mail accounts, domain, subdomains is a breeze. But I have to move on to centos 7 and apache 2.4. One thing I really like about it, one click recursively fixes all ownerships for any give user.
Your product is 5 star. No doubt. You just built a vehicle to take someone to mars when all we want to do is go to california.