I have to create a Virtual Server and by default Virtualmin is creating an account for administration based on website name (e.g. mydomain.com -> mydomain and folder in /home mydomain).
I discovered this user could access the server using SSH, not only Virtualmin interface. This is not good at all. When a Virtualmin user doesn't make any effort to change the default administrator name like mydomain, he allows in fact a first step into penetrating the system: the username. Then it is a matter of password to get in.
I suggest all Virtualmin users who are not creating their own administrator names to pay attention to SSH authentication. They must insert the admin name (the domain name) into SSH configuration to deny it.
In this way an attacker cannot use this intuitive name. Of course they can change port, use Fail2Ban, but why not cutting the attempts from the very beginning?
My suggestion is when you create a Virtual Server to have an option to deny that user in SSH configuration. This check box make it visible no one to skip it.