My VIrtualmin server was recently compromised - not rooted but a user uploaded a WordPress style with a malicious PHP file in it that was used to relay vast quantities of Spam through it - no fault of Virtualmin at all, let me add.
But I got together with a friend who's also a little knowledgable about security and we did a security audit of the whole server.
We turned up a lot of things (boy, WordPress makes it so easy for users to install, and the default installation is completely insecure!)...
but one glaring thing we saw was that virtualmin stores its passwords in plain text.
Now, I see that this has been brought up before on this board, and was reassured away "because of Unix protections". This is not right at all.
My friend and I have been running these servers since the 90s. We've been rooted twice before, once a BIND zero-day exploit and I don't quite remember the other. We've ended up learning quite a bit about security...
and one of the basic rules is that you never store any password in the clear, anywhere, under any circumstances. There are many very good reason that all operating systems used to store passwords in the clear, but not one major operating system does so in 2013.
Relying on your Unix protections to protect your files is false security, because there are so many ways for this to go wrong. Here are ones that have happened to me or friends of mine...
In particular, having passwords in the clear means that people can completely silently compromise the system by copy those files. All other means of compromising a system involve changing files - something which can be detected.
It's also important to remember that you are imperiling other installations other than your own with this policy. It's a sad but true fact that most people tend to use the same password, or one password from a small set of passwords, for all their accounts everywhere. Once a hacker grabs a password file and all of /etc, the first thing they do is hook up those passwords with possible email addresses (very easy to do with virtualmin's very standard file layout!) and then attack pretty well everywhere with those email/password pairs.
(And they have this automated. No one's going through editing /etc/virtual by hand, they dump it into a program that goes from password file to attack bot without humans being involved... this is Big Business!)
I cannot urge you strongly enough to consider how you could remove these unencryptped passwords from Virtualmin. At the very least, please do some research on the hazards of having passwords stored in the clear and try to think of some better way to mitigate this than "directory permissions".
Howdy,
I cannot urge you strongly enough to consider how you could remove these unencryptped passwords from Virtualmin
Whether or not to store passwords in plain text is an install-time option of Virtualmin... you can select that during the post-install wizard by enabling Hashed Passwords.
After installation is complete, you can change that for new Virtual Servers by going into System Settings -> Server Templates -> Default -> Administrative User, and there you can set "Store clear text passwords" to "No".
-Eric
HAH!
Well, silly old me! Good job on your part though.
The worst part is that, now you remind me of this step, I can see from my log that did that the first time I rebuilt the server, and I didn't do it the second time (because I was in a desperate rush).
I just made that change to the template.
Is there some way to fix this for existing sites? I can't re-re-recreate this server from scratch, but I can't have these passwords in the clear either. I spent some time going through the available options on the control panel and didn't find anything - but I'm perfectly open to editing config files by hand if needs be.
Also, perhaps the default setting should be "no plaintext passwords"?
Thanks again!
So is there no way to fix this without rebuilding the server from scratch?
I have to say, I'm leaning now again to "this is a serious security violation".
You have a setting that's left insecure by default - I believe that's wrong to start with - but it's also seeming that there's no way to fix your server if you do make the mistake of using your dangerous default settings - and that's very wrong.
After changing the password storage setting in the Server Templates, you can change the behavior for the various users on your system by changing their passwords.
Once the passwords are changed, they'll begin using the hashed passwords.
-Eric
I
ve tried to change user passwords after changing default template, but without any luck. Ive tried to change password, create new users and I still can see their passwords. Any clues what I could possibly miss?Great, then I've already done it!
You should still strongly consider making hashed passwords the default.
Thanks again!