Security Questions

[toc]

How can I prevent FTP Users from Browsing the Entire Filesystem?

If you want to limit the ease of which an FTP user can browse the server, you can setup FTP directory restrictions in Limits and Validation -> FTP Directory Restrictions. That would allow you to lock an FTP user into their home directory.

Note that this only prevents an FTP user from browsing the system, there are other ways in which a user can do the same thing. See the next question --

How can I prevent other types of users from browsing the entire filesystem?

On Linux/UNIX-based systems, users can browse to any file or directory they have permission to view.

That means any file or directory setup as world readable is visible to your users. In general, this is not a problem. The private data of other users is not something your users can browse by default.

Many files and directories on Linux and UNIX systems are required to be world readable, there's no way to prevent that. There will be some system files users can see, and one user can learn what other users exist on the system. Linux and UNIX systems weren't designed to act as jails, completely hiding one user from another. Files that aren't okay for your users to see aren't made world readable.

Even if you were to jail an FTP user into their home directory, a web-based file manager would allow that user to browse world readable files on your server, since they still have permission to access them.

To obtain a level of security that completely hides all users from each other, and prevents a user from seeing world readable files on your server, you may want to consider giving users a dedicated virtual machine (also known as a "VPS" or "virtual private server") rather than a shared hosting server. Unlike a shared hosting environment, a virtual machine is designed to completely hide and protect one user from another.

Cloudmin manages virtual machines, and is designed to work well with Virtualmin running inside of virtual machines. You can read more about Cloudmin here: https://www.virtualmin.com/documentation/cloudmin

I just setup my server, and installed Virtualmin. Are there any steps I can take to improve the server security?

The most common cause of breakins on a server is due to older web applications with security vulnerabilities. There are bots constantly scouring the net, searching for vulnerable services and web applications. If you are running a version of an application with a security issue, those bots will eventually find and exploit it.

The top things you can do to maintain a secure system are to keep your web applications up to date, and keep all the system packages for your Linux distribution up to date.

Those two things will go a long ways to keeping your server secure.

Depending on your needs, some users like using Fail2ban to assist in preventing password guessing styles of attacks. There are details on installing that in a Virtualmin environment here:

https://www.virtualmin.com/documentation/security/fail2ban