Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Server Security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Server Security

andyGBandyGB Member

I am installing Webmin on a new virtual machine. I am trying to make the server as secure as possible so I am looking for some tips and suggestions. So far I have done this...

Run APT-GET UPDATE & UPGRADE
Installed Webmin/Virtualmin
Changed Webmin port
Changed SSH port
Changed FTP port
Created standard user
Added standard user to SUDO
Disabled ROOT login

I am also considering using "aide" too, is this recommended ?

Comments

  • andyGBandyGB Member

    Sorry, this forum doesn't like formatting ^

  • NeoonNeoon Community Contributor, Veteran
    edited July 2013

    Dont use Webmin? for what do you need it? Just use less software as possible
    SSH Keys only for Login

    Thanked by 1ska
  • awsonawson Member

    Use public key authentication, disable password login

  • andyGBandyGB Member

    Okay, ill set ssh to use keys instead.

    As for Webmin, I will be using it, it is too easy.

  • Install CSF and follow the steps there...

  • andyGBandyGB Member

    CSF, sounds great. Thanks

  • Remove FTP server and use SFTP. You don't need to install anything on the server for sftp. It works over ssh.

    You may need winscp on your desktop though. It is free.

  • andyGBandyGB Member

    I installed CSF as suggested and a few things came up. Firstly about /tmp not being secure. Is it recommended I follow this tutorial to secure /tmp?

    http://ptihosting.com/blog/it-blog/how-to-mount-tmp-noexec-nosuid/

  • > using webmin

    > concerned about security

  • andyGBandyGB Member

    ?

  • bdtechbdtech Member

    Webmin is easy. Move the port higher, force https, iptables your webmin port/ ip, and also do the same for the webmin IP block list to limit to your IP.

  • @andyGB said:
    ?

    He's saying webmin is insecure (according to him).

  • danodano Member

    Webmin insecure -- I guess that would make all code ever written insecure also?

    I think Webmin has done lots to make sure they are secure, and Webmin has been around since many of you were picking your nose and learning addition and subtraction. Webmin isn't perfect, but there are measures you can take to make your webmin experience more secure, as others have said above(change default port from 10000 to whatever you want(bad bots wont find/detect you so easily), enable brute force detection/blocking, auth failure blocking, ip limits, etc).

    Code is made by man, and all we can do is continue to look at our logs, monitoring, and stay proactive with security alerts/warnings, and a hair of security by obscurity(take that as you want).

    Thanked by 1andyGB
  • andyGBandyGB Member

    I have seen WHM/cPanel, Plesk, and DirectAdmin server hacked before. I have been using Webmin for a personal project for almost three years without any glitch. I believe Webmin is just as secure as any other control panel.

    My aim is to change ALL port numbers except HTTP running on 80, then use a firewall rule to block all traffic to non-HTTP traffic, except that coming from my IP.

    Infinity580 suggested using Private SSH keys instead of passwords, which I have not done.

    peppr suggested CSF, which I have also installed and currently working through the configuration.

    Do anyone else have any real helpful suggestions?

    Thanks

  • skaska Member

    One suggestion would be to set-up a VPN and only allow the internal VPN-Network to connect to ssh.

  • andyGBandyGB Member

    ^ Regarding SSH keys, I meant "now done", not "not done" :)

    I am now running Debian 7 x64 on a KVM VPS with Webmin. When running a check with CSF, it says my /tmp isn't secure. I found this articles online,
    http://ptihosting.com/blog/it-blog/how-to-mount-tmp-noexec-nosuid/, would you recommend I follow this exactly? I mean, the article does work in securing the /tmp, but I mean is there any changes I should also make which the articles misses?

  • andyGBandyGB Member

    @ska, if SSH is limited to just my IP why would I need to VPN?
    I can't see how this would help? Please explain...

  • andyGBandyGB Member

    Ah right, now I see :)

  • awsonawson Member

    I think you might be a little too paranoid, OP.

  • andyGBandyGB Member

    @awson said:
    I think you might be a little too paranoid, OP.

    So are you suggesting I install Debain and use Webmin straight out the box?

  • perennateperennate Member, Host Rep

    @andyGB said:
    So are you suggesting I install Debain and use Webmin straight out the box?

    Yep, who's going to waste their time hacking you?

  • raza19raza19 Veteran

    @perennate said:
    Yep, who's going to waste their time hacking you?

    I don't see any reasons to ridicule the op, this thread is turning into a secure your webmin guide which is a good thing so stop making fun of the op & contribute something useful if you can...

  • perennateperennate Member, Host Rep
    edited July 2013

    @raza19 said: I don't see any reasons to ridicule the op,

    Sorry.

    If you've limited your webmin and any other management servers to your IP address, you've pretty much blocked most such attacks. You should be more concerned about social engineering and application-level attacks, which outside of very weak root passwords are far more common (and also make sure to keep all software updated).

    this thread is turning into a secure your webmin guide

    He's already used iptables so Webmin is only accesible from his IP, and I hope is using HTTPS. What else could be needed? Unless someone hacks his computer or manages to spoof the IP, both of which have much larger problems.

  • If you use https and have a strong root password no one is going to hack your server via webmin. If you are really worried you can always log into ssh and start webmin when you need it and shut it down when you are done. No need to keep it running all the time.

  • well, changing the ports are just security through obscurity, anyone can run a port scan on your ip and it'll show which port is on(with the name of the service).

    For the FTP, if it is not needed to be on everytime, then it is better to turn it off as you won't know when will there be a hidden 0day that is waiting to be exploited.

    btw, you can install fail2ban to prevent(more of like slow down) hackers from bruteforcing your ssh account.

  • skaska Member

    That is why I suggested running SSH behind a VPN.

  • andyGBandyGB Member

    Thanks to everyone who has been helpful in the above discussion. I believe my server is now as secure as I can make it without getting too technical. A summary of what has been done is below...

    Webmin is running on HTTPS on a high range port number.
    Webmin and apt-get automatically updates daily.
    All un-used services are removed or disabled.
    FTP is running on a high range port number but only enabled when needed.
    SSH is running on a high range port number.
    SSH requires RSA keys only and no root login is allowed.
    CSF is running and iptables restrict access to webmin and ssh to my ip range.
    CSF is set to block anyone who fails 2 login attempts to webmin, ssh, or .htaccess.
    CSF will also block anyone who is port scanning, or flooding to a certain extent.
    Finally I have my "important" data backing up to Amazon S3 daily just in case.

    While I now understand where @ska is coming from with the VPN, I don't see it is neccesary in my case. If I feel my needs change, I'll keep it in mind for future use.

Sign In or Register to comment.