All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Virtualmin security guide. Part Two (7 Images)
This guide continues where Part One left off.
Basic iptables firewall setup with Virtualmin
iptables is a very broad topic and is outside the scope of this guide so we will just touch the tip of the subject for our needs. In this section we will use Webmin to generate a set of default rules and adjust them according to our Virtualmin setup needs.
Navigate to Webmin on the top left corner followed by Networking and click on Linux Firewall.
You might have some default rules here. What we will do is let Webmin/Virtualmin generate a set of rules for us and then adjust them. Scroll to the bottom and hit the Reset Firewall Button.
Select Block all except ports used for virtual hosting, on interface: option. eth0 is the default option and in most cases the correct one. Adjust this as needed. Click the Setup Firewall Button.
Webmin has generated a default set of rules for us and we will now place check marks marks the rules we do not need.
The following items were check marked:
clamd - Clam AntiVirus Daemon is a TCP/IP or socket protocol server.
dovecot - Dovecot Imap Server
named - named (BIND) is a Domain Name Server (DNS) that is used to resolve host names to IP addresses.
postfix - Postfix is a Mail Transport Agent, which is the program that moves mail from one machine to another.
postgresql - PostgreSQL database server.
proftpd - ProFTPd is an enhanced FTP server with a focus towards simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility.
spamassassin - spamd is a daemon process which uses SpamAssassin to check email messages for SPAM. It is normally called by spamc from a MDA.
usermin - Start or stop the Usermin server
Click on apply configuration and you will have this.
As you can see the the default action is set to drop so anything that is not on our list is going to be completely ignored.
We now have a very basic firewall that only allows incoming traffic on the ports we want and some basic ICMP stuff (for ping and such). Nothing else can go trough. New versions of Virtualmin/Webmin detect custom ports for ssh and itself make sure that when you do this you keep an eye on which ports are allowed and be absolutely sure that your ssh and Webmin ports are on the Accept list. I encourage you to look further into iptables and what it offers.
Keep your system up to date
This is something that typically goes without saying. Keep an eye out for security fixes and install the critical ones as soon as they are released.
Shut down Virtualmin/Webmin when not needed
Once all your sites are up and running and you don't need to use the control panel anymore why do you need it to run on your system idling? Simply shut down Webmin and everything you set up will continue to run.
[root@virtualminbox fapvps]# service webmin stop
Stopping Webmin server in /usr/libexec/webmin
[root@virtualminbox fapvps]#
And when you do need to use it simply fire it back up.
[root@virtualminbox fapvps]# service webmin start
This will not be suitable for those who have other people using the control panel or if you set up Webmin to do background tasks such as updates and backups. You can also disable Webmin from automatically starting on bootup from Webmin>System>Bootup and Shutdown.
Using a jump box
If your system is important and you want to take every possible step to secure it you might consider buying a few small vps's for under $12/year to be used as jump boxes. A jump box is a small instance that on runs ssh or vpn and its only job is to tunnel connections to your production systems. Once you have set up your jump boxes you configure your iptables on your production systems to accept connections for ssh and Webmin or any other remote access systems that are running to only accept connection fromthe specified ips of the jump boxes and nothing else. You should have more than one in case of downtime so you will not loose access to your production systems.
This concludes Part Two of this guide. This is by no means a complete security solution but I hope it helps some new users get their foot in the door.
Comments
Part Two is now complete.
if virtualmin could havebetter supportfor nginx, i would consider to use.
https://virtualmin.com/documentation/web/nginx
i noticed they upgraded nginx support a few months ago. still not as wellsupport as apache
nice tutorial. could you pls. do another one only focussed on setting up and securing email for domains on virtualmin/webmin? Thanks
excellent tutorial...