New created virtualmin instance and some remarks about findings and security

6 posts / 0 new
Last post
#1 Wed, 04/10/2019 - 08:02
Jfro

New created virtualmin instance and some remarks about findings and security

HI. Created CENTOS 7 with yum upgrade update and so on latest. (ONLY FOR TESTING SOM STUFF on a instance)

Then the installation documentation from Virtualmin . so perl and so on upfront https://www.virtualmin.com/node/54781

https://www.virtualmin.com/documentation/installation

https://www.virtualmin.com/documentation

( some extra upfront the sshd made more secure is needed for everybox cypher, keys and 2048 but better for new systeem 3072 or 4096bit! )

Then in the end then installation seems everything ok. LOGIN then the rest post installation and checks, that seems to stall / hang , back button and again then ok, but problem with maria db passord, and deleted the testdb and so as everytime with installation we have this, Again the post installation part then there filled in the uhum root password it is (seems) working.

Then the still old problem for PAM still exists i think because of this. (((https://www.virtualmin.com/node/19331 ))

nstalling Perl module Authen::Libwrap from package perl(Authen::Libwrap) ..
Installing package(s) with command /bin/yum -y install perl(Authen::Libwrap) ..

Installation of Authen::Libwrap failed. Check the output above and try installing manually.
You can also install the module from CPAN with the command perl -MCPAN -e shell.
No package perl(Authen::Libwrap) available.
Error: Nothing to do
.. install failed!

Installing Perl module Authen::PAM from package perl-Authen-PAM ..
Installing package(s) with command /bin/yum -y install perl-Authen-PAM ..

NOT ENOUGH and not Working ou have to do this after install to make it work!

The fix. Silly red hat people, they took out the "pam" header files.

yum install pam-devel

then install under "webmin - perl modules - suggested"

Solved

Then the systems are insecure using old Cipher and protocols, tls, rsa and 1024 bit and so on for almost everything.

You have to update all those stuff.

Better for new minimal 3072 bit is the advice 4096 is also ok i think if using in Produktion very important point to look at ?

Also some keys accesible ...

Further work to to with proftpd to make this more secure. You can use SSH / sftp there but then for email/ftp users this ssh doesn't work as should, also directory listings and so on!?!?

( Dovecot Postfix and HTTPD needs work also for those to update secure 2019 needed state)

If using websearch forum search for pci compliance virtualmin and or getting a A(+) at for example SSLLABS you find a lot of very to old stuff.

UPDATES for that installtions and also documentation is becoming more and more important, to prevent insecure boxes on the web trying with that hackers putting down important infrastrucure and more!

TLS 1.2 should be minimum 3072 bit should be minimu and so on

no RC4 and 3des a long long list to solve after installing a new with newest installation Virtualmin must be done before you have a kind of secure box.

Testing with ssllabs https://www.ssllabs.com/ssltest and more links here

https://discovery.cryptosense.com/ please take care to have that ip not blocked with your firewall testing to fast to much in short time , solution in console

for jail in $(fail2ban-client status | grep 'Jail list:' | sed 's/.*Jail list://' | sed 's/,//g'); do fail2ban-client set $jail unbanip 46.235.226.212; done

firewall-cmd --remove-rich-rule='rule family=ipv4 source address=46.235.226.212 reject' --permanent 

https://en.internet.nl/ https://starttls.info/ https://mxtoolbox.com/ https://cipherli.st/ thanks Remy van ELst ;) https://cisofy.com/ security Lynis also Dutch ofcourse hihi ;) and thanks for this tool.

A lot of base has after installation even 1024bit, wen you succeed to have 2048 but 3072 or higher, this is recomended though!


Diffie-Hellman group security
Trigger The server uses a commonly-shared 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

For security, a 2048-bit group is reasonable although ECRYPT recommends a group size of at least 3072 bits (ECRYPT 2016 report). The use of commonly-shared 1024-bit groups such as Oakley group 2 is especially discouraged because of possible precomputation attacks (weakdh.org).
Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

RSA keys must be long enough to provide reasonable security against brute-force attack by factoring. While 2048-bit keys are fine today, a minimum of 3072-bit is recommended by ECRYPT for new systems.

Also i presume a BUG but simple workarround. New emailuser then login in usermin, you can't make/send email and seeing not the layout as it should in browser. Workarround her was i did send a email to that user, then log in as that user again and everything seems to be working allright then.

So with empty space / mailboxes something is not 100% there right after adding user.

I can't go to pro version because of lacking support for some other third party REPOS''s we/i need / want to use! ( CODEIT GURU, REMI, MARIADB for example)

So i support somehow with my texts here in forum and also pointing to spam if i find..

Sat, 04/13/2019 - 11:07
Jfro

So see for explanation and more info's about some security matters here. (more details about the reported security issues,) I kind of remediation is there posted also you could use that part as meantime manual i suppose.

https://www.virtualmin.com/comment/811134#comment-811134

Only pointing out the to old things are in use with fresh default installs. to help for who is reading forum.

Every SYSadmin should take care about those and some more to be on the safe side, Documentation Virtualmin and default settings are few years behind for some. ( so is this For SOFTWARE.VIRTUALMIN.COM : .

Certificate expiration
Trigger The expiration date of this certificate is 2018-08-26 06:18:54.
Sun, 04/14/2019 - 06:22
Jfro

Also this errors on error log minisserv

https://www.virtualmin.com/node/65442

Tue, 08/06/2019 - 16:24
Jfro

Post a link with some other insight to check it out please solving several warnings / errors could be helpful. ;)

https://check-your-website.server-daten.de/?q=virtualmin.com

Wed, 08/07/2019 - 12:31
Jfro

INFO WEBMIN port: on port 10000 :

Tls12 RsaKeyX 4096 Aes256 256 Sha1 SO WeaK RsaKeyX and Sha1

IF SET IN the Config for SSL Webmin only tls1.2 and strong pci complaint ciphers / protocols.

Is not working as you see this is only for the 10000 port webmin, not for ssh, ftp, httpd, smtp, and so on while here we did succesfull changed all.

So why after such a long time Webmin Virtualmin is still "lacking support" default for a safe uptodate cipherlists and protocols?

Security is very important out of the BOX, if less secure needed for some, have this as option with warning if someone makes changes for less secure..

See a lot of links you can find on the WEB with remarks about that why? ( even years old)

Updated: 2018-01-26 Created: 2014-05-04 https://sourceforge.net/p/webadmin/bugs/4403/

Take care. ;)

Sun, 08/11/2019 - 11:57
Jfro

Some tls info in different languages concerning safety weak and so on.

Germany: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Min...

Netherlands. tls 1.0 tls 1.1. has to be fased out very fast and some more https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2019/mei/01/ict...

GDPR rules laws this info 2017: https://pro2col.com/gdpr-encryption-in-transit/

usa https://csrc.nist.gov/CSRC/media/Publications/sp/800-52/rev-2/draft/docu...

Topic locked