New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Server Security
I am installing Webmin on a new virtual machine. I am trying to make the server as secure as possible so I am looking for some tips and suggestions. So far I have done this...
Run APT-GET UPDATE & UPGRADE
Installed Webmin/Virtualmin
Changed Webmin port
Changed SSH port
Changed FTP port
Created standard user
Added standard user to SUDO
Disabled ROOT login
I am also considering using "aide" too, is this recommended ?
Comments
Sorry, this forum doesn't like formatting ^
Dont use Webmin? for what do you need it? Just use less software as possible
SSH Keys only for Login
Use public key authentication, disable password login
Okay, ill set ssh to use keys instead.
As for Webmin, I will be using it, it is too easy.
Install CSF and follow the steps there...
CSF, sounds great. Thanks
Remove FTP server and use SFTP. You don't need to install anything on the server for sftp. It works over ssh.
You may need winscp on your desktop though. It is free.
I installed CSF as suggested and a few things came up. Firstly about /tmp not being secure. Is it recommended I follow this tutorial to secure /tmp?
http://ptihosting.com/blog/it-blog/how-to-mount-tmp-noexec-nosuid/
> using webmin
> concerned about security
?
Webmin is easy. Move the port higher, force https, iptables your webmin port/ ip, and also do the same for the webmin IP block list to limit to your IP.
He's saying webmin is insecure (according to him).
Webmin insecure -- I guess that would make all code ever written insecure also?
I think Webmin has done lots to make sure they are secure, and Webmin has been around since many of you were picking your nose and learning addition and subtraction. Webmin isn't perfect, but there are measures you can take to make your webmin experience more secure, as others have said above(change default port from 10000 to whatever you want(bad bots wont find/detect you so easily), enable brute force detection/blocking, auth failure blocking, ip limits, etc).
Code is made by man, and all we can do is continue to look at our logs, monitoring, and stay proactive with security alerts/warnings, and a hair of security by obscurity(take that as you want).
I have seen WHM/cPanel, Plesk, and DirectAdmin server hacked before. I have been using Webmin for a personal project for almost three years without any glitch. I believe Webmin is just as secure as any other control panel.
My aim is to change ALL port numbers except HTTP running on 80, then use a firewall rule to block all traffic to non-HTTP traffic, except that coming from my IP.
Infinity580 suggested using Private SSH keys instead of passwords, which I have not done.
peppr suggested CSF, which I have also installed and currently working through the configuration.
Do anyone else have any real helpful suggestions?
Thanks
One suggestion would be to set-up a VPN and only allow the internal VPN-Network to connect to ssh.
^ Regarding SSH keys, I meant "now done", not "not done"
I am now running Debian 7 x64 on a KVM VPS with Webmin. When running a check with CSF, it says my /tmp isn't secure. I found this articles online,
http://ptihosting.com/blog/it-blog/how-to-mount-tmp-noexec-nosuid/, would you recommend I follow this exactly? I mean, the article does work in securing the /tmp, but I mean is there any changes I should also make which the articles misses?
@ska, if SSH is limited to just my IP why would I need to VPN?
I can't see how this would help? Please explain...
Ah right, now I see
I think you might be a little too paranoid, OP.
So are you suggesting I install Debain and use Webmin straight out the box?
Yep, who's going to waste their time hacking you?
I don't see any reasons to ridicule the op, this thread is turning into a secure your webmin guide which is a good thing so stop making fun of the op & contribute something useful if you can...
Sorry.
If you've limited your webmin and any other management servers to your IP address, you've pretty much blocked most such attacks. You should be more concerned about social engineering and application-level attacks, which outside of very weak root passwords are far more common (and also make sure to keep all software updated).
He's already used iptables so Webmin is only accesible from his IP, and I hope is using HTTPS. What else could be needed? Unless someone hacks his computer or manages to spoof the IP, both of which have much larger problems.
If you use https and have a strong root password no one is going to hack your server via webmin. If you are really worried you can always log into ssh and start webmin when you need it and shut it down when you are done. No need to keep it running all the time.
well, changing the ports are just security through obscurity, anyone can run a port scan on your ip and it'll show which port is on(with the name of the service).
For the FTP, if it is not needed to be on everytime, then it is better to turn it off as you won't know when will there be a hidden 0day that is waiting to be exploited.
btw, you can install fail2ban to prevent(more of like slow down) hackers from bruteforcing your ssh account.
That is why I suggested running SSH behind a VPN.
Thanks to everyone who has been helpful in the above discussion. I believe my server is now as secure as I can make it without getting too technical. A summary of what has been done is below...
Webmin is running on HTTPS on a high range port number.
Webmin and apt-get automatically updates daily.
All un-used services are removed or disabled.
FTP is running on a high range port number but only enabled when needed.
SSH is running on a high range port number.
SSH requires RSA keys only and no root login is allowed.
CSF is running and iptables restrict access to webmin and ssh to my ip range.
CSF is set to block anyone who fails 2 login attempts to webmin, ssh, or .htaccess.
CSF will also block anyone who is port scanning, or flooding to a certain extent.
Finally I have my "important" data backing up to Amazon S3 daily just in case.
While I now understand where @ska is coming from with the VPN, I don't see it is neccesary in my case. If I feel my needs change, I'll keep it in mind for future use.