Tuesday, December 16, 2014

[Quick Tips] : Install and enable Webmin SSL on CentOS

Install and enable Webmin SSL on CentOS

Webmin is great user friendly web based control panel or any linux server. Webmin is free, flexible, and very lean. Compare to Cpanel, DirectAdmin, Plesk control panel for hosting environment, webmin uses very little resources while being very functional. Webmin is a very powerful control panel to literally control everything of your server. Webmin can run on wide range Linux distributions, like BSDI, Centos, CloudLinux, FreeBSD, Fedora, Gentoo, Linux Mint, Ubuntu, Mac OS, and lots more. Webmin comes with many standard modules as well as many third party modules. Some useful standard modules from webmin
  • Bootup and Shutdown
  • Disk and Network Filesystems
  • System Logs
  • Users and Groups
  • Apache Webserver
  • BIND DNS Server
  • DHCP Server
  • MySQL Database Server
  • ProFTPD Server
  • SSH Server
  • Samba Windows File Sharing
  • Bandwidth Monitoring
  • Linux Firewall
In this article, I’m going to show you how to install webmin on a centos server
First, you need some extra packages to run webmin over SSL (Secure Sockets Layer) which is more secure.

Install Webmin via webmin RPM package

To fetch and install GPG key with which the packages are signed
Download Webmin for Centos/Fedora/Redhat
Finally you can install webmin on Centos

Install Webmin via Webmin YUM repository

If you want to install webmin via YUM repository, you can create webmin.repo file in your Centos system
With the content
Save the file, now you will be able to install and update webmin via yum command as normal yum package.

Login to Webmin

After you installed webmin, you can start to use it, since webmin is web based control panel. You can use webmin to control your server over the internet through a web interface. Standard/default webmin installation will be using port 10000 over http protocol. You can change webmin default port after you login to webmin. Your webmin login should be your root user and your root password.
For non SSL webmin login
For SSL webmin login

[Linux Server] : How to install, config and secure openssh server

How to install, config and secure openssh server


OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including username and password) over the wire in unencrypted form, and provides host authentication, to verify that you really are talking to the system that you think you are and that no one else can take over that session. Currently OpenSSH can be used with OpenBSD, NetBSD, FreeBSD, AIX, HP-UX, IRIX, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF, Mac OS X, Cygwin.

Install OpenSSH

openssh nam huy linux blogYou will want your system can both receive and make connections via OpenSSH, so you will need to install server and client packages
For Ubuntu, Mint, or Debian based distributions

For Fedora, Centos, or Red Hat based distributions


Config and Secure OpenSSH
Default openssh config files
/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.
Default openssh port
TCP 22
There are a few tweaks and changes before you open up your ssh server to connections from the outside world.

1. Disable OpenSSH server

You should disable and remove openssh on machines that you don’t need connections to, like workstation, laptop
For Ubuntu, Mint, or Debian based distributions
For Fedora, Centos, or Red Hat based distributions
You will need to update and restart your iptables if you have one to remove ssh exception rule.

2. Only Use SSH Protocol 2

Make sure its in your openssh server config file

3. Limit access to ssh server

Only allow certain user/users to access your ssh server and deny user/users you don’t want to access to ssh server.
To allow user/users, add this to sshd_config
To deny
Personally i highly suggest you deny root user on ssh server and ssh with normal unprivileged user, then you can become root after that.
To become root you can use su command
For Ubuntu, Mint, or Debian based distributions
For Fedora, Centos, or Red Hat based distributions

Config Idle Log Out Timeout Interval

You would not want to leave your ssh session unattended, having idle log out timeout is a good idea to do so. Here i set mine at 300 seconds or 5 minutes

4. Disable .rhosts Files

Linux are file based Operating System. If attackers use a network analyzer to launch a buffer overflow attack and capture a user ID and password, attackers can see what the system give out permission to that specific user. That’s why to protect .rhosts file.

5. Disable Host-Based Authentication

HostbasedAuthentication no

6. Disable root Login via SSH

As I mentioned before, you dont want to login with your root account. Besind deny user root, you should also disallow it.

7. Having a Warning Banner

This is not really effective to against somebody want to break in your ssh server, but it’s cool to have one and sort of legal warning. We will place the warning notice in /etc/ssh/ssh_banner file
Create ssh Banner
Sample warning banner /etc/ssh_banner

8. Change SSH server port

After deny and disallow root login at number 3. and 7., I belive changing ssh server port to a non-standard port is the second most important effective way to prevent break in ssh server. Ibelive (I might be wrong) anything between port 1024 to 65535 is safe to use.

9. Disable Empty Passwords

You don’t want anyone to login to your ssh server with an empty password

10. Use StrictModes

StrictModes let ssh check user’s permissions in their home directory and rhosts file before allow ssh login to make sure users don’t leave their directories and files write-able to others in the same host/system.
Under # Authentication:, uncomment StrictModes, LoginGraceTime, PermitRootLogin, MaxAuthTries, and MaxSessions