A free control panel to manage the websites is a boon for every server owner.
And, that’s what make Virtualmin popular.
Just like any other product, ensuring Virtualmin security can avoid server attacks.
At Bobcares, we often get requests from customers to keep their Virtualmin servers secure as part of our Server Management Services.
Today, we’ll see how our Dedicated Engineers setup Virtualmin security to avoid potential server hacks.
Why we need to secure Virtualmin?
Basically, Virtualmin helps to manage multiple websites from a single panel. It allows to manage user accounts, web server configuration, manage databases, mailboxes, and much more.
Before proceeding further, let’s first see the importance of security in Virtualmin servers.
Hackers evolve every day and try to exploit known security holes on any system. For example, Virtualmin 6.03 allows cross site scripting, which can result in adding bogus scripts to websites. Therefore, it is really critical to always update the Virtualmin installation.
Additionally, when hacker manages to get access to the Virtualmin server, he can modify all domains on the server. Thus, in Virtualmin servers, our Security Engineers proactively set up security measures.
[Do you know that most of the server hacks happen due to poor server management? Offload your server management tasks to us.]
Steps for Virtualmin security
Security is not something that we can add at the end of server setup. Our Security Engineers always set up any server keeping the security as the primary concern. This involves many steps and will depend largely on the type of application running on the server. Ideally, security should begin during the initial server setup itself.
Now, let’s look on the top 7 steps that our Support Engineers take to ensure Virtualmin security.
1. Restricting access to services
A door without a lock make things easy for a thief. The same goes with security too. Therefore, as the first step of maintaining security, our Support Engineers set proper limits for users on accessing each service.
For example, in case of FTP server, we setup FTP directory restrictions in Limits and Validation -> FTP Directory Restrictions. That allows to lock an FTP user into their home directory.
Similarly, we enable restriction on SSH services too. This involves disabling direct root access for SSH. Instead, we setup a user and add it to wheel group and give special privileges. Thus, it helps to avoid hackers trying to crack the root user password.
2. Set proper file permissions
Again, a major share of server attacks happens when there are full permissions on the files and folders. Normally, these full permissions allow hackers to execute malicious scripts on the server. Thus, it can cause damage to the entire server.
To avoid this, we always restrict the permissions on the files and folders to bare minimum. For the files it will be 644 and the folders it will be 755. Unfortunately, manually checking these file permissions can be a tedious task. That’s why, our Support Engineers automate this task by setting up cron jobs to check the files and folders with full permissions.
3. Changing Virtualmin port
Similarly, changing Virtualmin port to an uncommon one also helps. By default, Virtualmin listens on port 10000. This can make attackers look for server with port 10000 open. To avoid the attack, our Security Engineers change the port to something else. To make this working, we set the port in the file /etc/webmin/miniserv.conf. Further, we restart the Webmin service to apply the changes.
4. Periodic updates of Virtualmin
From our experience in managing servers, we often see that some customers fail to update Virtualmin on time. They just install the server and forget about it. Unfortunately, this will not work in the case of servers.
For example, Virtualmin 6.03 had cross site scripting vulnerability. So, failing to update the server on time can make the server prone to attack.
Here, our Support Engineers ensure periodic Virtualmin updates from the Webmin control panel using the steps given below.
- Click on the Webmin section
- Select System
- Click on the Virtualmin Package Updates module
- Click on “Updates and new” button that displays both new Virtualmin packages and packages for which updates are ready.
- Run update.
5. Enable required features only
Yet another risk in Virtualmin security happens when enabling unwanted features on the server. The Virtualmin installer enables all of the Virtualmin features by default. But, this also enables service that you will never use.
To secure the server, we always make it a point to disable the features that we don’t need. For example, for simple WordPress websites, our Dedicated Engineers just enable Web Server and MySQL. This avoids the vulnerability via the unused features.
6. Server firewall
Likewise, server firewall helps to increase the security in Virtualmin. From our experience, we see that configuring firewall like CSF greatly helps in real time servers. Also, we block brute force attempts on the server using software like Fail2ban, Brute Force Detection, etc.
To give additional protection, we often restrict Virtualmin panel access to selected IP addresses. Thus, they will not be available to everyone in the internet.
7. Application updates
Last, but not the least, application updates are really critical for Virtualmin security. If at all we keep all the Virtualmin packages as the latest, if there is an outdated WordPress or Joomla installation on the server, it can cause server attack.
To avoid this, our Dedicated Engineers setup scripts to check outdated applications on the server. We automate this task via cron job. And, when we identify vulnerable applications, we work with customers to keep them on latest stable version.
[Proper server management can avoid typical server attacks. We can help you in maintaining security on the server.]
Conclusion
In a nutshell, Virtualmin proves to be a cost effective control panel solution. Today, we saw how our Support Engineers ensure Virtualmin security and avoid typical server attacks.
0 Comments