Virtualmin Server Security

8 posts / 0 new
Last post
#1 Thu, 04/21/2011 - 12:50

Virtualmin Server Security

Lets say we have centos 5.6 setup and virtualmin on it. thats all. What type of security steps are u suggesting? this page have a good summary of checklists i think. which steps on these are required to do? or do you have better suggestions rather then those security hardenings:

Complete list of technical services:

Firewall Protection:

    APF – Configure both ingress and egress firewall protection.
    BFD – Detect and prevent brute force attacks.
    CPHulk – Detect and prevent brute force attacks.

Spam Prevention and Anti-Virus Protection:

    ClamAV – Configure for e-mail scanning. Enable auto-updating anti-virus definitions.
    Realtime Blackhole Lists (RBLs) – Configure email server with RBLs to prevent spam.
    Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks.
    Dictionary Attack Protection – Prevent spammers guessing email addresses on your server.
    Checksum-based Collaborative Filtering – DCC and Razor to detect mass-mails.
    OCR Technology – Optical Character Recognition engine to detect spam in email as images and PDF files.
    Custom rulesets – Custom hand-selected SpamAssassin and ClamAV rulesets to increase spam detection.

HTTP Intrusion and DOS Protection:

    Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
    Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
    PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.

Server Hardening:

    Disable IP Source Routing – Enable protection against IP source route attacks.
    Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
    Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
    Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
    Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
    Harden Apache – Prevent module and version disclosure information.
    Harden SSH – Allow only SSH version 2 connections.
    Harden Named – Enable protection against DNS recursion attacks.
    Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
    Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
    Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
    Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
    Disable unused services – Disable services which are not used.
    Disable unneeded processes – Disable processes which are not needed for server operation.
    PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
    PHP Hardening – Enable OpenBaseDir protection.

Server Optimization:

    Optimize TCP/IP stack – Various changes to TCP/IP stack to increase buffers and optimize for server environment.
    PHP Configuration – Enables widely used PHP modules for maximum compatibility.
    MySQL Optimization – Optimizes MySQL performance for server configuration and enable query caching.
    PHP Caching – Optimizes PHP performance through EAccelerator script caching.
    FFMPEG and related software support – FFMPEG, Mencoder, flvtool2, and all related applications.
    Graphic Applications – Installs widely-used graphic applications NetPBM and ImageMagick.
    Monitoring Applications – Installs MyTOP, Iptraf, and Iftop utilities to easily monitor server performance.

Security Audits:

    Rootkit Hunter – Nightly scan to detect system intrusions.
    Chkrootkit – Nightly scan to detect system intrusions.
    Nobody Process Scanner – Scans for unauthorized "nobody" processes.
Thu, 04/21/2011 - 13:01

Well, in general -- if there were any security measure that were absolutely mandatory... it would generally be enabled by the vendor out of the box. Vendors aren't shipping insecure distributions.

You're of course welcome to perform additional security steps, but those steps would all be based on additional security you feel you require.

You may want to check out the FAQ entry "I just setup my server, and installed Virtualmin. Are there any steps I can take to improve the server security?" available in this doc:

Thu, 04/21/2011 - 14:38

Esspecially i am worried about Ddos and brute force attacks. Do we have any protection about those? for example brute force on ssh.

(sorry if i am asking wrong or stupid questions, have so limited time on opening a project and i am not a sysadmin ^^ )

Thu, 04/21/2011 - 14:51

Your question aren't wrong or stupid in any way -- they're just getting into difficult territory :-) Security issues (and the applications that are designed to solve them) can be complex.

Out of the box, most Linux distributions don't have anything setup to prevent SSH-based brute force attacks.

There are tools for handling that though.

There are many different ways to handle this, but one place to start would be to look at DenyHosts:

I don't personally have experience with it, but other folks in the forums here use it and seem to like it.


Thu, 06/09/2011 - 21:02

I would suggest, that if you are concerned you should install fail2ban. I was having literally thousands of brute force hack attempts a day before I installed and configured fail2ban. Now I get less than 50 a day.

Fri, 06/10/2011 - 04:24

fail2ban is a good solution, and a quick first step would be to run ssh on another port than 22. While that does not provide real security (rather "security by obscurity"), it will help greatly reduce the amount of brute force attacks you'll be seeing. Most of them are performed by "script kiddies" or infected machines, which quite probably will only test the default port and not scan them all.

Fri, 06/10/2011 - 15:01

It should be pointed out that fail2ban is flexible in that it can not only protect ssh brute force attacks, but other ports as well. For example, repeated dovecot signin attempts, http password attempts, all sorts of things. Very nice flexible product that does not consume vast amounts of resources.

There was another thread somewhere where people were lobbying for fail2ban to be included in vmin. It does run on all platforms as far as I know, though, in some cases the default strings it searches for are different so sometimes it takes a little tuning.

As far as the "required" list of hardening, I suppose all of those are good at some level. Keep in mind, many of them take away performance (cumulative effect), and, many of those also can break customers software, so, at that point, it's customers being mad vs the perceived security.

ddos is always a problem. Some specific appliances do fairly well at this. Depends on the data center. Some data centers make it your problem.

Thu, 07/14/2011 - 01:16
fakemoth's picture

This is the thread - I am still lobbying around :)

Don't take the name of root in vain...

Topic locked