You are here:Home»KB»Web Server»My Virtualmin Notes
Thursday, 09 November 2023 13:08

My Virtualmin Notes

Written by

This page will cover Webmin, Virtualmin and Usermin but I focus on getting a fully fledged Virtualmin server running on Ubuntu.

  • A lot of Webmin tutorials and information will apply to Virtualmin because Virtualmin is a plugin/module of Webmin.
  • HeadingsMap Firefox Add-On
    • This plugin shows the tree structure of the headings in a side bar.
    • It will make using this article as a reference document much easier.

Overview

General

  • Virtualmin UI overview 2021 - YouTube - This official video give you a great overview of the software.
  • Virtualmin is probably best when run with Apache.
  • Webmin vs. Virtualmin — RackNerd - Webmin and Virtualmin have been around for a long time, and they are known as one of the oldest free control panel's that still exist today.
  • Virtualmin doesn't support Mysql any more? - Virtualmin - Virtualmin Community - why MySQL is not longer supported and has been replaced with MariaDB.
  • Anyone using the new PHP version 8.3 on Virtualmin/Webmin? - General Discussion - Virtualmin Community
    • PHP doesn’t run “on Virtualmin” and Virtualmin does not use PHP for anything, so any questions about PHP should be about your apps and your OS and the repos you’re using. Virtualmin don’t care.
    • Virtualmin runs on Perl alone allow it to be completely separate from the actions on the server.
  • Virtualmin/Webmin is separate
    • Virtualmin/Webmin sits on top of Linux and only ever alters config files or issues commands, it does not change your Linux install beyond this so you can change things manually and Virtualmin will still work.
      • Some manual operations are frowned when Virtualmin is there to do these tasks for you to preserve consistency.
    • Virtualmin Framed Theme virtual-server-theme theme version 9.3 released - #12 by Joe - News - Virtualmin Community
      • No. Webmin runs under miniserv, a special purpose application server designed specifically for Webmin. The the only way to make something happen “before the theme” would be to make it so the theme can’t customize the login page and couldn’t customize any unauthenticated pages (of which there are several in Virtualmin, and removing those features would be pretty dramatic for many users), which isn’t really ideal, either.
      • Even when you run Apache or nginx in front of it, Webmin’s own web server is still running underneath; it’s possible to run Webmin directly under Apache, but it’d provide horrible performance, much weaker security (no 2 factor auth, no password timeouts, you’d have to configure any extra access controls in Apache, rather than in Webmin, etc.), and would not be themeable in a meaningful way (the application server transparently performs the path changes for themes). Running a proxy in front of Webmin might be a security win, but running Webmin directly under Apache, definitely, would not.
      • There are ways forward that may improve overall security on an architectural level, but they’re not simple, and we’re considering our options on those fronts. But, there is no magic bullet for security in a very large system.
    • Rebuild httpd.conf with all virtual hosts - Help! (Home for newbies) - Virtualmin Community
      • Unlike most other control panels, we don’t generate config files from templates, we edit them in place. We can’t possibly “generate” it because we always edit what is currently existent. The config file is the source of truth. This is a feature, not a bug.

Sites

Components Explained

  • Overview
    • Basic Questions on VirtualMin,WebMin,UserMin - #2 by Joe - Help! (Home for newbies) - Virtualmin Community - What is a Virtual Server? Is that a website/domain that is provisioned for hosting? In IIS this is a website. What do you use to set this up…Webmin or Virtualmin?
    • Whm = virtualmin and usermin =cpanel? - #3 by eugenevdm.host - Help! (Home for newbies) - Virtualmin Community
      • Usermin is a completely separate (optional) tool, unrelated to Virtualmin, though the Virtualmin installer installs Usermin because it is a webmail client, among other things, that integrates nicely with Virtualmin and Webmin.
      • Administrators and domain owners login to the same UI. When you login to Webmin (Virtualmin) as a domain owner user, that is not Usermin. Usermin is a webmail client, among other things, that runs on port 20000, by default.
      • The access domain owners have is configurable in Virtualmin, in Server Templates, Account Plans, and Virtualmin Configuration. You can grant Virtualmin domain owners a lot or a little access. It defaults to a little (though it could be even less, the default is intended to be a usable subset).
  • Webmin
    • A Powerful and flexible web-based server management control panel.
    • This platform allows the installation of modules (plugins) to perform extra tasks.
    • Webmin is a web-based system administration tool for Unix-like servers, and services with about 1,000,000 yearly installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more.
  • Virtualmin
    • This is a Webmin module.
    • Virtualmin users log into Webmin and they do not use Usermin for this purpose.
    • Virtualmin is available in two versions. Virtualmin GPL and Virtualmin Professional.
  • Usermin
    • This is a Webmin module.
    • This is another portal aimed towards techies and server admins, not Virtualmin users.
    • Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console.
    • Most users of Usermin are sysadmins looking for a simple webmail interface to offer their customers. Unlike most other webmail solutions, it can be used to change passwords, read email with no additional servers installed (like IMAP or POP3), and setup users’ configurations for forwarding, spam filtering and autoreponders.
    • Usermin need to see logfiles (webserver) - Usermin - Virtualmin Community
      • Usermin is webmail plus a few other features you may want to enable. It is no for managing domains.
      • A Virtualmin user is for managing Virtualmin domains owned by that user.
      • I’ve seen people on the web suggest that Virtualmin==WHM, and Usermin==cPanel, but that’s simply wrong. Virtualmin is not split like that.
      • Usermin is not a management tool, it’s for end users to read their mail, manage mail filters and such, change their password, maybe use File Manager (for their own files, not websites), etc. You can grant them some extra privileges, but there is a user explicitly for what you’re trying to do and it is the Virtualmin user that was created when you created the domain.
    • All Virtualmin Virtual Server 'Owners' get a Usermin account created.
    • Very configurable.
  • Filemin
    • This use to be separate, but is now the integrated file manager of Webmin.
    • You can configure the File Manager not to lock users into their home
      • Webmin --> Webmin Users --> Permissions for all modules --> Root directory for file chooser
      • This would allow them to traverse upward through the directory tree to the logs for the domain.
      • This only works for system users that are not linked to Virtualmin and is not standard practice.

GPL vs Pro

Pro

  • What counts toward your Domain count:
    • Each Virtual Server
    • Each Sub-Server
    • Each Sub-Domain (if you've enabled them)
    • Aliases do NOT count
  • Virtualmin Pro License subdomains - Virtualmin - Virtualmin Community
    • Sub-servers are full-featured domains that can have their own content, applications, mail, etc.(they can even have their own name unrelated to the parent domain). They count against the domain limit for this reason.
    • Aliases, which do not have their own content, do not count against the domain limit.
  • Create cPanel style subdomains (Manually) without increasing the domain count.
    1. How To Create Sub Domain In Virtualmin/Webmin - Petal Host - Most of the times we need to create sub domains in our accounts. Cpanel provides easy way to create sub domains. But when we talk about creating sub domain in Virtualmin/Webmin, it make us to think how to create sub domains as there is no direct option for creating sub domains.
    2. subdomains accounted for domains?? | Virtualmin
      • The following will not create a new Virtualmin 'Sub-Server' `Sub-Domain` account and will use Apache re-write to point the sub-domain to a sub-folder. This is a manual process.
      • Just wanted to point out that if you don't need all of the granular options/extended configurability that go with an actual server/sub-server account then a simple Apache rewrite rule can provide a simple "sub-domain" in terms of content presentation (mapping sub.domain.tld to a directory under said domain). Perhaps this is obvious but I hadn't seen any mention of it around.
      • I think spazzwig's suggestion is the best: having 'simple' sub-domains that just add a CNAME record to the DNS, add a <VirtualHost> directive in the Apache config file for that domain (or perhaps this can be done even without the VirtualHost entry, just using a redirect?), and then setup a folder inside domains/ (or perhaps subdomains/?).
      • I just tried it out manually, and all that's really needed is the CNAME, a new <VirtualHost> in the Apache domain conf file (or a new apache conf file would work just as well), and a subfolder inside the /home/domain.com. 
      • Or, you could write a "braindead sub-domains" module that creates a CNAME and a directive in Apache that points to a subdirectory in public_html. That'd be pretty trivial to write, and we wouldn't have any problem with folks doing that (we'd even answer any questions you might have about writing plugins)--but we aren't going to add more account types to Virtualmin.
      • It'd probably be cheaper to just write some code that'l simulate those subdomains, you can just map a subdomain to a folder with two or three lines.
        • DNS record, subdomain.domain.com. IN CNAME domain.com.
        • Apache ServerAlias subdomain.domain.com
        • Apache 
          RewriteEngine On
RewriteCond %{HTTP_HOST} ^subdomain\.domain\.com$
RewriteRule ^/(.*)$ http://domain\.com/subdomain
        • Now any request to subdomain.domain.com will load domain.com/subdomain.
        • Automating this is somewhat harder but I imagine fairly easy; I've not looked into it yet.
    3. Creating subdomains on the fly server template adjustment - Virtualmin - Virtualmin Community - Discusses and shows a user's methodology.
  • Upgrading to Pro
    • Pre-Sales Questions - Virtualmin - Virtualmin Community
      • Yes, upgrading usually just requires adding the serial number and license key in the “Upgrade to Pro” form. Virtualmin will switch software repositories to the Pro repos and upgrade your system to the Pro version.
  • Getting support when you have a Pro License
    • Use the forum to send a private message
      • It has to be addressed to @staff; though the field is filled automatically when the button from virtualmin.com/support is clicked.
    • For Pro users there is a Virtualmin Support module that can be used effortlessly to submit a ticket.

Docker (via Cloudmin)

  • Setting Up Docker Virtualization – Virtualmin
    • Docker is not a true virtualization type like KVM, Xen or even LXC - instead it is a very lightweight container system that is typically used to run server processes in an environment that includes all their dependencies. Docker images normally contain a very basic Linux distribution and the files needed to run a single server like Apache, Nginx or MySQL.
  • Webmin Docker module - An easy way to deploy containers - Webmin Docker module allows to create and manage Docker containers easily. It involves setting up a Docker Host, adding docker images, etc.

Webmin / Virtualmin / Usermin

General

  • Virtualmin
    • allows the auto install of self signed SSL, you just have to find it.
  • Virtualmin Tab
    • Is always per single virtual server.
    • If there are more than Virtual Servers available in an account, they will be present in drop down menu. All are Virtual Servers are present in root or main admin account.
  • License Usage (GPL and Pro)
    • Am I allowed to rebrand Virtualmin, but retaining the MIT license? - Virtualmin - Virtualmin Community
      • Virtualmin is not under an MIT license.
      • There are some bundled components (e.g. JavaScript libraries, etc.) that are MIT and/or BSD-licensed, but Virtualmin GPL is licensed under the GPL and is subject to those terms, and Virtualmin Pro (everything in the pro subdirectory) is Copyrighted (and not freely distributable). Webmin is under a liberal BSD three-clause license (so the license notice needs to remain in place wherever it appears).
      • But, rebranding is fine for both GPL and Pro. You should be aware, however, that lang files get overwritten on updates, so you need to plan for that. The best way to handle that is…maybe a custom lang. You could also just make a patch using the diff command and then re-apply it after updates using patch. While it does change regularly, a patch will probably apply cleanly for quite some time. Or you could just script a search/replace using sed every time you update.
      • For the default page (the index.html that gets included in public_html when a new domain is created without content), assuming you’re replacing the whole thing, you don’t need to include any of our copyright notices. The web pages and apps you host on a Virtualmin system are not subject to our copyrights or licenses, unless they were made by us.
      • There are tools for adding logos and colors and stuff to the UI without needing to modify any files. It’s a configurable option. And, you can load custom stylesheets, which could more significantly alter appearance and insert logos or whatever.
      • Virtualmin Pro (everything in the pro subdirectory) is Copyrighted (and not freely distributable).
      • Pro subdirectory = /usr/share/webmin/virtual-server/pro/
    • Question about Virtualmin licensing for local development - Virtualmin - Virtualmin Community
  • How To Restore Deleted Module? - Webmin - Virtualmin Community
    • Q: I deleted fail2ban module because I want to use CSF, but now I want fail2ban back.
    • A: You could simply run apt-get install --reinstall webmin to restore any deleted files from the original package.
  • How to re-run the `Post-Installation Wizard`
    • Virtualmin --> System Settings --> Re-Run Install Wizard
  • Manage Virtual Server --> Switch To Server's Admin
    • This allows you to login as the owner of the currently selected virtual server.
    • cannot switch back to root after switch to server admin [#69822] | Virtualmin
      • Because for logging in, the given user name is used, there is no way to switch back from user account (server owner) to root (master administrator) account without compromising security, at least using our current model of authentication.
  • Webmin Modules menu
    • Virtualmin --> Webmin Modules
    • You only get this additional menu item when you login as a normal user (i.e. not root).
    • The available features are configured by permissions.
    • This menu can be turned on and off by the server admins on a per user basis.
      • Virtualmin --> Manage Virtual Server --> Edit Owner Limits --> Other restrictions --> Hide Webmin modules category in menu:

Install / Update / Upgrade / Uninstall

Some general information about this topic I have put together. These do not form my installation instructions, they are at the bottom of this article.

Tutorials

Install

  • If you have an administrative user with sudo ALL privileges, commonly the first user on an Ubuntu system, you can use that user to login to Virtualmin.
  • Downloading and Installing Virtualmin – Virtualmin | Official method)
  • Virtualmin Professional – Virtualmin - Virtualmin GPL is already an extremely powerful and flexible virtual hosting control panel, so we're frequently asked about the differences between Virtualmin GPL and Virtualmin Professional. So, if you were wondering whether you should upgrade, you've come to the right place.
  • Once you hve downloaded the install script you can run the script with a help switch`install.sh --help` and it will give you help information and will not install anyting or modify your system.
  • Automated Virtualmin Installation – Virtualmin
    • There are two methods for installing Virtualmin. The first is a fully automated script described in this document, and the other is a manual installation documented in the Manual Virtualmin Installation page.
    • This is the recommended method.
  • Manual Installation – Virtualmin
    • Unlike the Automated Virtualmin Installation, to make use of this installation type, your OS does not need to be freshly installed, nor does it need to be a supported operating system.
    • This method, however, requires significantly more knowledge on the part of the person doing the installation, and a much larger time investment to insure that all necessary configuration is performed and all Virtualmin managed services are working correctly.
  • The install will appear to get stuck but it is just slowly downloading assets. In total the installation took about 20mins.
  • Should put certificates in the /etc/ rather than the custoemrs home directory?
  • The MySQL module installs MariaDB

Update / Upgrade

GPL <--> Pro

  • Changing license will change the repositories used.
  • GPL and Pro are interchangeable in the sense of when the license expires, nothing will break but functionality will be reduced?
  • Uninstalling Virtualmin | Virtualmin — Open Source Web Hosting Control Panel
    • If you no longer need the features of Virtualmin Professional, but wish to continue to use Virtualmin on your system, you can downgrade quite easily by running: 
      virtualmin downgrade-license --perform
    • It will completely replace Virtualmin Pro package with GPL variant, making it impossible to use Pro features anymore. It will also disable all reseller accounts. By downgrading to GPL, you will no longer support the product development.
  • What happens when updating from GPL to Pro to a server with ~30 domains? Pro has limit to 10 domains. - Virtualmin - Virtualmin Community
    • If you have 30 domain on a 10 domain server – two things would happen:
      1. You’d see an warning each time that you logged in as the Master Admin that you had exceeded the domain name limit.
      2. You wouldn’t be allowed to add any additional domains until you were under the 10 domain limit again.
  • When the Pro license expires, will the /pro/ folder be deleted?

Uninstall

  • Uninstalling Virtualmin – Virtualmin
    • There are many levels of uninstalling Virtualmin.
    • --uninstall - This should never be done on a system that is in production. It is very destructive. It is primarily for use when you tried an installation option (for example using Nginx instead of Apache) and have decided to change after trying it out.
    • Uninstalling / Downgrading Virtualmin Professional to GPL, both are covered here.
    • The 'virtualmin change-license' command is used for license changes and renewals. Check the license FAQ for details.
  • How can I uninstall Webmin? - FAQs | Webmin
    • Just run the command /etc/webmin/uninstall.sh. If you have installed the rpm package of Webmin, you can also use rpm -e webmin, or dpkg -r webmin if you have installed the deb package, or if you have installed the Solaris package you can use pkgrm WSwebmin command.

Custom Menu Links

Add additional items into the Virtualmin dashboard menu.

GPL

Basic and theme based, but will do the job for most

  • Theme Configuration --> Configuration category: Navigation menu --> Extra entries
    • Read the Tooltip.
    • Using Authentic theme you can add extra links at the bottom of the navigation menu in the dashboard.
    • The injection done by the theme level so all injections are on a global level
    • The links can be configured for display to 5 pre-set user groups.
    • The example code from the tooltip but easier to read, but currently the field will not except this format and needs to be flattened.
      {
    "extra": [{
        "title": "Google Mail",
        "link": "https://gmail.com/",
        "icon": "google",
        "level": "0,1,2,3,4"
    }, {
        "title": "BIND DNS Server",
        "link": "/bind8",
        "icon": "server"
    }, {
        "title": "Usermin",
        "link": "/",
        "icon": "envelope",
        "port": "20000",
        "target": "_blank"
    }]
}
  • The Icons
    • There is a limited set of icons you can choose from.
    • They are a custom set of FontAwesome icons
    • You can preview most of them here: Authentic Kit Demo
    • Take fa- off and you have your icon name to sue in the code above
    • For reference, the icons are base64 encoded and in `bundle.min.css` with the font name `Authentic`.
    • authentic-theme/unauthenticated/css/bundle.min.css 
      /*
 * Authentic Theme (https://github.com/authentic-theme/authentic-theme)
 * Copyright Ilia Rostovtsev <ilia@virtualmin.com>
 * Licensed under MIT (https://github.com/authentic-theme/authentic-theme/blob/master/LICENSE)
 */
body{text-rendering:optimizeLegibility}@font-face{font-family:Authentic;src:url(data:application/font-woff2;charset=utf-8;base64,d09GMg............ 

Pro

  • Virtualmin --> System Customization --> Custom Links

File Manager

Terminal / SSH

Ports being used

  • Webmin, Virtualmin, Usermin and other service Ports?
    • you can see them all here
      • Webmin --> Networking --> FirewallD:
    • What are the unamed ones for
      • 20: FTP Passive Mode Data
      • 22: SSH/SFTP
      • 2222: SFTP (FTP over SSH) (this use ProFTPd jail features and doesn’t need configuration?).
      • 10000: Webmin
      • 10000-10100: Webmin RPC?
      • 20000: Usermin
      • 49152-65535: PASV (used for FTP Active mode and other things)
    • What ports should be opened for Virtualmin in firewall? – Server Administration – vpsfix.com Forum - This is a question people ask when configuring firewall for Virtualmin. This is really important on platforms like Amazon Web Services and Google Cloud platform because they have a built-in firewall blocking all connections.
    • Acronyms:
      • SFTP = SSH FTP
        FTPS = FTP-SSL
  • Change Virtualmin/Webmin port

Webmin (only)

  • Restrictions / Security
    • Restrict access to Webmin by IP or Hostnames.
      • Webmin --> Webmin Configuration --> IP Access Control --> Allowed IP addresses:
    • Restrict access to Webmin of a single user by IP or Hostnames. In this case the root account.
      • Webmin --> Webmin Users --> root account --> Security and limits options --> IP access control --> Only allow from listed addresses: might accept range
    • Webmin can also be configured to allow users who have sudo privileges for all actions to login as a root-level user.
      • Webmin --> Webmin Users --> Configure Unix User Authentication --> Allow users who can run all commands via sudo to login as root
      • How can I connect to webmin as a sudo user - Super User
        • Now you should be able to login as any user that has ALL sudo privileges. This feature was added to accommodate systems like Ubuntu that do away with having a "root" account, by default (Ubuntu has a root account, but it has no password and the first user created gets added to the sudoers file automatically).
        • This option is enabled, by default, on systems that we know meet this description (like recent Ubuntu releases), I think.
  • Authentication
    • Authentication - Webmin Configuration | Webmin
    • For HTTP authentication, there is no session tracking at all - the browser sends the username and password for every request!
    • Clear login sessions
      • Webmin --> Webmin Users --> View Login Sessions

Usermin (only)

  • General
    • All Virtualmin Virtual Server 'Owners' get a Usermin account created.
  • Restrictions / Security
    • Restrict user's Usermin permissions
      • Webmin --> Usermin Configuration --> Module Restrictions --> Add a new user or group restriction
    • Restrict access to Usermin by IP or Hostnames.
      • Webmin --> Usermin Configuration --> IP Access Control --> Allowed IP addresses:

Themes

  • Changing the Theme in virtualmin – Virtualmin - This tutorial will show how to change the theme in Virtualmin.
  • Creating Overlay Themes | Webmin - This page explains how to create overlay themes, which are a new feature in Webmin 1.450 and later. These allow you to easily modify the colours, icons and CSS of another theme, without having to create or duplicate its entire layout.
  • Authentic Theme allows you to add your own JavaScript, JQuery, CSS and Perl to override things you don't like.

Email

General

  • Where are these default emails from? 
    abuse@example.com
postmaster@example.com
hostmaster@example.com
webmaster@example.com
    • These emails addresses are usually created by an unmodified 'Default Settings' Server Template, but can be created from any Server Template.
      • Virtualmin --> System Settings --> Server Templates --> 'Default Settings' --> Mail for domain 
    • These emails are aliases of the 'Primary email address'.
      • Virtualmin --> Edit Users --> 'Virtual Server Owner' --> Email Settings --> Additional email addresses
    • To completely disable any email on the primary account
      • Virtualmin --> Edit Users --> <username> --> Email Settings --> Primary email address enabled: No
    • Virtualmin --> Edit Users --> <username> --> Email Settings --> Additional email addresses: <remove any found here>
  • Enable Email Forwarding
    • Email Mail Alias
      • Virtualmin --> Edit Mail Aliases --> Add an alias to this domain
      • This allows you to create a forwarder without requiring a real mailbox.
      • This feature will also allow you to create delivery groups.
    • How to setup email forwarding – Virtualmin - This tutorial will cover how to setup email forwarding for a user from within Virtualmin. Only works for an account that already exists.
    • Email forwarders based on conditions - #4 by maycobb - General Discussion - Virtualmin Community - Yes, it’s possible to set up email forwarding based on conditions such as the sender and subject line in Virtualmin. Virtualmin is a web hosting control panel that includes features for managing mail servers, among other things. Here’s a general guide on how you might achieve this in Virtualmin.
  • Misc

SPF / DKIM / DMARC / DANE / TLSA

  • DANE (TLSA)
    • DNS-based Authentication of Named Entities (DANE) is a technique to secure SSL/TLS connections using DNS entries, that are secured by DNSSEC.
    • DANE (DNS-based Authentication of Named Entities) is the option to use secured DNS infrastructure to store generic verifiable information for multi-factor verification. The most common use of DANE today is the TLSA record type (Transport Layer Security Authentication), which allows users to verify the PKIX certificate received from a website by querying for its information in DNS. TLSA is specified in RFC 6698.
  • DomainKeys Identified Mail – Virtualmin - Official documentation.
  • Proper way to add SPF for new Servers - Virtualmin - Virtualmin Community
    • Add to the DNS zone template
    • Virtualmin --> System Settings --> Server Templates --> BIND DNS Domain
  • Email going to spam. Dmarc, dkim, spf settings to improve delivery rate? [#68798] | Virtualmin
    • Webmin --> Servers --> Bind DNS Server --> Choose domain --> Choose type DMARC and finally i created the record adding 100 to percentage of messages to apply policy
    • Virtualmin --> Email Settings --> DomainKeys Identified mail and save.
    • If this is a proper way to create a DMARC record. = Not exactly. You should rather go to: Virtualmin --> DNS Settings --> DNS Options --> DMARC record enabled
    • Should i do it manually for every virtual server (DMARC)? = For DMARC records, you would have to edit Server Templates and its BIND DNS Domain and enable Add DMARC DNS record.
    • What else i can do in order to improve mail deliverability? = I would set DMARC policy to "reject". SPF record should still and also be enabled on mentioned DNS Options page above.
    • here is no a global option in order DMARC is enabled by default after a new virtual server created or migrated right = However, in case you have hundreds of domains and doing it manually is difficult, you could use Virtualmin CLI to run mass update: 
      virtualmin modify-dns --domain name | --all-domains | --all-nonvirt-domains
  • SPF Failure: Understanding Types and Causes
    • Learn About Different Types and Causes of SPF Failures. Unravel the Secrets Behind SPF Authentication for Enhanced Email Security.
    • It explains the different failure qualifiers
      • ?all (Neutral)
      • +all (Pass)
      • ~all (Soft Fail)
      • -all (Fail)
  • Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained - DMARCLY - or anyone who isn't well-versed in SPF and DMARC, this can be confusing as to why these errors occur in SPF, how they are interpreted in DMARC, and what action to take to fix them. This article is going to take a deep dive into these topics.
  • Sender Policy Framework | Official Homepage - The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.
  • How do I change the DMARC emails addresses?
    • Change the email address in the related server template
      • Virtualmin --> System Settings --> the template --> Edit template section: DNS domain --> (Reporting URI for forensic reports | Reporting URI for aggregate reports)
    • Regenerate the DNS records
      • Virtualmin --> DNS Settings --> DNS options
      • Click Save

Virtualmin Install Scripts (3rd Party Apps)

  • Installing by script (eg phpMyAdmin, RoundCube)
    • You are able to to install from a selection of apps using inbuilt scripts. The Pro version has many more.
      • Virtualmin --> Install Scripts
    • The free version includes all of the major ones you need.
    • Installable Applications – Virtualmin
  • Failed to install script : This script cannot be installed (phpMyAdmin)
     
    • Fatal Error!
Failed to install script : This script cannot be installed, as this virtual server does not meet its requirements : phpMyAdmin requires a MySQL database
    • This is most likely caused by:
      • The MariaDB service not being enabled for this account.
      • No available database to install into.
  • Get rid of AWStats from public directory / there are symlinks and icon folders (awstats-icon, awstatsicons, icon, stats)
    • keep "stats" and other icon folders outside of the public_html - Virtualmin - Virtualmin Community
      • Q: Virtualmin creates these default folders: awstats-icon, awstatsicons, icon stats. I’d prefer to keep stats and other icon folders outside of the public_html folder.
      • A:
        • These files and symbolic links are used by “AWStats” so if you don’t need this feature you simply can remove the feature from the domain and safely remove folders/symbolic links.
        • That’d be somewhat tricky. You’d need an additional Directory section added to each VirtualHost in the Apache configuration. You could do that in Server Templates (you can add arbitrary Apache configuration for each new VirtualHost with Server Templates in the Apache section)…but, you’d also need the Virtualmin AWStats module to know about that, which it doesn’t look like it is configurable in that way. So, some code would need to be written in virtualmin-awstats.
  • Restrict access to Apps
    • NB: you can restrict access to the apps with a .htaccess for example the code below will allow you to block from the internet but allow you local network (192.168.1.0/24) clients to access apps.
      # RESTRICT ACCESS TO DIRECTORY BY IP ADDRESS
# Include in .htaccess of any directory
<RequireAny>
    Require all denied
    #Require ip 1.2.3.4
    #Require ip 5.6.7.8/12
    
    # If local server access to the directory is required
    # add the following; include the server IP addresses (IPv4 & IPv6)
    Require local
    Require ip 192.168.1.0/24
    #Require ip 2001:0db8:85a3:0000:0000:8a2e:0370:7334
</RequireAny>
    • Add into the .htaccess a password requirement
    • Also you could add a referer requirement (I have not tested the code below)
      <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} !=10.0.0.1
    RewriteCond %{REMOTE_ADDR} !=10.0.0.2
    RewriteCond %{HTTP_REFERER} !=wordpress\.com [NC]
    RewriteCond %{HTTP_REFERER} !=google\.com [NC]
    RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Serverwide Apps

When you have multiple clients and they all want to be able to use phpMyAdmin, you or they (if allowed) can individually install phpMyAdmin onto their virtual server, however this seems a waste of resources and can lead to Apps being out of date so in this section my aim is to create a central location of all apps that will be used by clients serverwide. This allows one instance to be used and easily kept upto date by the server admin. Apps that are particular to a client can be installed on to their virtual server as normal.

Selecting One Location for your Apps

Use this table to decide the best location for putting your centralised Apps.

Location Pros Cons Who Should use this
www.example.com/apps/
  • No additional virtual server is required
  • Suitable for a low traffic and low resource environment
  • The apps are on your business website and will share it's PHP version
  • Additional traffic to your business site will make tracking more difficult for SEO and SEM purposes
  • Proxying apps on this setup might have some issues
  • Personal Servers
  • Hosting with a few sites
apps.example.com
  • Suitable for high traffic
  • Apps are separate from your business site
  • Proxying apps on this setup is easy
  • Can change the port number of the server for better security
  • An additional virtual server is required which uses more resources
  • High traffic servers
  • Professional Hosting
other.example.com/apps/
  • Suitable for high traffic
  • Apps are separate from your business site.
  • Proxying apps on this setup is easy
  • Can change the port number of the server for better security
  • An additional virtual server is required which uses more resources
  • Having the apps in a sub-folder is a bit pointless when apps have their own virtual server
  • High traffic servers
  • Professional Hosting
/usr/share/
  • No additional virtual server is required
  • Suitable for all traffic types
  • Apps are separate from your business site
  • Alias rule can be added into the Global Apache Configuration and will apply to all Virtual Servers
  • You cannot proxy this App
  • You must use the Apache 'alias' directive and the other required settings and know how they work
  • I am not sure how or if you can control ports with this
  • All traffic types
  • Professional Hosting

Alternative Access Methods

In this section I will outline a different way of accessing these centralised apps to give a better client experience or you can just use them as they are.

ProxyPass / Reverse Proxy

This is the modern way of doing things where you have a dedicated server running your app and then you use your webserver to pass website users request to it and then return the respones back to the user without the app server being seen by the user.

  • is there a way of using that ProxyPass command to redirect <client-domain>/phpmyadmin to https://example.com/phpmyadmin. Virtualmin Pro has a ProxyPass rule builder in it which might do the job.
  • This is not really one location for apps? but it could be. you dont have to proxy whole domains.
Apache Alias
  • This will only work if the assets are on the same physical server. I am not sure if it works between virtual servers but it probably does.
  • Integrate phpMyAdmin into the virtualmin GUI - #6 by shoulders - Blue Skies - Virtualmin Community 
    # phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php

    # limit libapache2-mod-php to files and directories necessary by pma
    <IfModule mod_php7.c>
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
    </IfModule>

</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
  • One central copy of phpMyAdmin - #6 by mrwilder - General Discussion - Virtualmin Community
    1. Install phpMyAdmin at /usr/share/phpMyAdmin
    2. Webmin --> Servers --> Apache Webserver --> Default Server --> Aliases and Redirects --> Document directory aliases: Add a matched pair with
      • From: /php
      • To: /usr/share/phpMyAdmin
    3. Apply changes and restart Apache.
    4. Now you can go to any domain on the box and get phpMyAdmin, eg:
    5. Make sure you have the authentication mode set the way you intended in (sounds like you want http probably) in config.inc.php!
Redirect (htaccess)

This is a fairly easy way, when a user goes to a particular URL Apache redirects the request and browser to the new URL.

Server Template (Apache Directive)
  • Virtualmin --> System Settings --> Server Templates --> Edit template --> Edit template section: Website for domain --> URL for webmail redirect
    • This will redirect webmail.yourdomain.com to the new URL you define with this setting. 
      /etc/apache2/sites-available/example.com.conf

ProxyPass /.well-known !
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:10000/ [R]

Adding a Virtualmin Dashboard Menu Item

Now we have setup our apps and decided how we are going to access them we should now add a menu link into the Virtualmin Dashboard. Check out the Custom Menu Links section on how to add a menu item

Webmin Modules (3rd Party)

This is just a collection of Webmin modules that do not fit under any of the other categories.

CLI and Commands

The Command Line is very powerful and can do things the GUI cannot, in particular it is ideal for mass changes and automation.

  • Command Line API – Virtualmin
    • Using the command-line scripts included with Virtualmin to manage users, aliases, servers, databases and resellers.
      • Virtualmin includes a script named virtualmin that can be run from the Unix shell to perform actions that are usually done from the web interface.
  • To get a full ist of commands, run these from the Terminal.
    virtualmin
webmin --list-commands
  • config-system – Virtualmin - The config-system command configures a system and its services for use by Virtualmin. It is invoked during Virtualmin installation, but may be invoked later to either configure a new service (assuming the relevant packages have been installed) that was not enabled during installation, or to correct installer issues after they've been fixed by a new version of the virtualmin-config package.
  • bash: virtualmin: command not found
  • modify-php-ini (Changes PHP variables for some or all domains)
    • modify-php-ini | Virtualmin — Open Source Web Hosting Control Panel - Changes PHP variables for some or all domains (virtual servers)
    • This command will add/change the PHP values for CGI, FastCGI and PHP-FPM on a per virtual server basis.
    • This will not change the global PHP configuration files (php.ini / .conf)
    • Examples 
      virtualmin modify-php-ini --domain example.com --ini-name memory_limit --ini-value 128M
virtualmin modify-php-ini --all-domains --ini-name memory_limit --ini-value 128M
    • The files that are altered are (not all listed): 
      # PHP-FPM
/etc/php/7.4/fpm/pool.d/1231231231231234.conf

# CGI, FastCGI, mod_php
/home/username/etc/php7.4/php.ini

# Apache Configuration
if mod_php is present, there can be some Apache configuration changes made. This is probaby to .htaccess files not Apache Directives.
      • if mod_php is present, there can be some Apache configuration changes made.
    • Stuck in termainal after running the help command: virtualmin help modify-php-ini
      • use q or :q to exit from the terminal
    • Virtualmin modify-php-ini - Some clarification needed - #11 by shoulders - Virtualmin - Virtualmin Community
      • `virtualmin help modify-php-ini` what Apache configuration files does this change if any?
  • Rebuild httpd.conf with all virtual hosts - Help! (Home for newbies) - Virtualmin Community
    • You’ll need to get a default httpd.conf in place first, as Virtualmin will definitely be unhappy without one existing.
    • After that, I suspect you could disable the domain and then re-enable, though it might choke on the missing VirtualHost section. Try with one, first, and if it works as expected you can use the List Virtual Servers --> Update or the CLI command to do the rest in bulk.
    • Next, the following code should be put to a file and executed as a script (or run from the console using \) 
      #!/usr/bin/env bash
doms=`virtualmin list-domains --name-only --no-alias`
for dom in $doms; do
   virtualmin disable-feature --domain $dom --web --ssl --logrotate --webalizer --virtualmin-awstats --virtualmin-dav
   virtualmin enable-feature  --domain $dom --web --ssl --logrotate --webalizer --virtualmin-awstats --virtualmin-dav
done
    • You can use the --all-domains switch now I think.

User Restrictions

  • Disable root login
    • TL;DR = no, but remove it from SSH.
      • Leave root enabled but without SSH permissions, making sure you have a secondary account with full sudo permissions.
      • This allows you to perform all tasks in Virtualmin and on your server without using the root account, but should this user account become locked you can still go to the console and access the system.
    • Should I disabled the root account after I have installed Virtualmin - Help! (Home for newbies) - Virtualmin Community
      • You don’t need root for Virtualmin. You need either a root user or an account that has sudo ALL privileges.
      • But, I would make sure you can login with that other user and that other user can do everything in Virtualmin before disabling root login.
      • Disable root from SSH, but leave it on so you can access from the console (and through VM) if you get locked out.
      • You do have to have a root user (many processes start with UID 0), but you can disable direct logins as root in a variety of ways. Using the “lock” option in passwd, as you mentioned above, is one (this sets the hashed password to start with !, which will never match a hash and thus prevent all authentication as this user). Disabling root logins in ssh is another (console root login still works). I tend to prefer the latter, as I like knowing I can get in on the console in the event everything else fails. But a sudo-capable user works for that, too, and you probably always still have single user mode, if you can get to the console.
    • webmin - How to disable root login on Virtualmin - Stack Overflow
      • Different options to remove the root user from Webmin, goto Webmin --> Webmin Users
        1. delete the root account (not recommended)
        2. remove all privileges from the root user.
        3. Limit access by root. Expand Security and Limit Options and select Only allow from listed addresses for IP Access Control. Enter the loopback address(127.0.0.1) into the field. The root user will still exist, but will be unable to login.
        4. Click root and rename it to a new username you will use.
    • To disable root login in Virtualmin, you can do one of the following | Bing Search
      1. Create a new sudo user via command line. That user can then login to webmin with all privileges. Once confirmed that you can login to webmin with new name, remove root password via command line or disable root login via webmin
      2. Log in as a user with administrator privileges and click on Webmin --> Webmin Users. In the list of users, either delete or remove all privileges from the root user.
      3. Give an existing user sudo privileges, and they can then log into Virtualmin as the Master Admin. You could also just change the shell on the root account, so they can't log in via SSH and such, but can log into Virtualmin.
      4. Locate the Allow login by root option and select the radio button next to No.
      5. Edit the /etc/ssh/sshd_config file and uncomment (if it is commented) the directive PermitRootLogin and set its value to no.
      6. You can also set PermitRootLogin to “without-password”, which says that you can login remotely as root, but only if you’re using an SSH key.
  • File Manager - users able to access all files on server, change this setting
    • Webmin --> Usermin Configuration --> Access Control Options --> Root directory for file chooser: "User's home directory"
  • SSH
    • SSH Access to Website - #10 by danwtsa - Virtualmin - Virtualmin Community
      • Additional users in the domain share a group with the domain, but not the same user. So, the public_html directory would need to be writable by the group for a user with a different UID (but the same GID) to write to it. There are some security implications to making that change, but if all users in the domain are trusted to have write access to the website, you should be fine.
      • You can alternatively create an FTP user (and allow them to also use ssh), in the Edit Users page, which I believe will share a UID with the domain owner user. I need to look at how things have changed, as I don’t actually know what all the user types do now, after Ilia renamed them all. (I’m sure it’s less confusing than it was before, at least I hope so, but I knew what the old ones meant and don’t know what the new ones mean.)
  • Misc
    • Cannot change 'allowed login type' in owner limits?
    • The virtual server owner will always have access.

Templates / Defaults

General

  • Server Settings and Templates – Virtualmin
    • Variable subsitutions which can be used in the text boxes below, which will be evaluated at server creation time.
    • An overview fo the different templates.
  • Template Variable Listing – Virtualmin - This page lists many of the template variables that you can use in email messages to domain owners and mailboxes, initial website content, Apache and BIND configurations and many other places in Virtualmin.

Skeleton directory for files / Default website files / Holding page

  • Located here: /etc/skel
  • The Index file must be located as so: /etc/skel/public_html/index.html
  • You can have different default files setup in different skeleton folders allowing for mulitple options. You just need to change where a particular Server Template gets the skeletong files from.
  • A skeleton directory contains files that will be copied into the newly created home directory of the domain user. It can contain other directories, which will also be created in the home directory. This can be used to provide a pre-configured set of scripts or web content for some or all server templates.
  • Variable substitution in skeleton HTML files
  • Website Default Page – Virtualmin
    • Upon setting up a virtual server using Virtualmin, a default landing page is created. This page serves multiple purposes and provides information about the status of the website and server configuration in general.
    • These might not appear if you have files in your skeleton directory.
  • Is it possible to change the default page shown when virtual site are disabled | Virtualmin
    • Yyou can configure that at: Virtualmin --> System Settings --> Server Templates --> e.g. Default Settings --> Website for domain
      • Disabled website HTML: This field can be used to customize the message that appears when connecting to a website for a disabled Virtual server. The default message simply states Website Disabled.
      • Disabled website URL: This option can be used to re-direct browsers connecting to the website of a disabled virtual server to a completely different URL, rather than simply displaying a locally served HTML message.
  • How can i change the default "LandingPage" (webserver home page using HTML on webmin/virtualmin - Webmin - Virtualmin Community
    • Add a new index.html to /etc/skel/public_html/ (or whatever skel directory you have configured).
    • You should not change anything in the Virtualmin installation directories. Any such changes will just be overwritten next time you install an update.
    • I guess we should clarify whether you want to edit one such file (one already setup for a domain account in the user’s public_html directory), which is what Stegan is talking about, or if you want to change the default that is put in place in new domains, which is what I’m talking about with adding a file to /etc/skel/public_html.
    • Skeleton dir is also configurable per-Server Template (under Home Directory), so you can have multiple default pages, if you want.
    • You can put anything you want in your own default page. There are literally no restrictions imposed by Virtualmin on what you put in /etc/skel/public_html/index.html. If you want it to be a redirect, make it a redirect (that seems confusing, to me, without a little explanation, though…I think your users would be better served by a little bit of explanation of how to replace the default page with their own content, etc.).
  • Server Template - Skeleton Substitution - Help with Speed - Virtualmin - Virtualmin Community
    • Take a peek in Virtualmin --> System Settings --> Server Templates --> Default --> Home directory
    • Jamie recently added a feature that that would allow you to specify a regex for file patterns to not perform the substitutions.

Server Templates

  • Create a Server Template (notes)
    • The 'Default Settings' template cannot be deleted.
    • These are used for the initial build of a Virtual Server and various Post-processes such as creating a database and resetting DNS Zones.
    • Changes are not actively reflected to accounts using the template.
    • cPanel does not have an equivalent to this. This is server level administration and allows setting up pre-determined server configurations.
    • For use by: in templates you create you get 4 options where as the default templates only have one option here.
    • You cannot clone the 'Default Settings' template, but there is a button called 'Create a template from the default settings'
    • The 'Create a template from the default settings' refers to the 'Default Settings' template. I am not sure why it does not have a clone button which would be more logical.
    • You can edit and save the 'Default Settings' and 'Settings for Sub-Servers' templates.
    • When you select use 'From default settings ', these settings are inherited from the 'Default Settings' server template.
    • If you choose 'Create a template from the default settings' a new template is created used all of the settings from the default template rather than setting everything to default these are hard settings.
    • If you choose 'Create an empty template' a new template is created with all options set to default.
    • Not all of the settings are used upon the creation of a Virtual Server such as the 'MariaDB database' settings, these are only used when you create a new database. This means that the settings in the various different sections are used at different times.
    • I cannot tell if any of the settings are used in a live fashion or they are only used when new items are created, which is definitely the case for most if not all of them.
  • Create a Sub-Server Template (notes)
    • The 'Settings for Sub-Servers' template
      • Cannot be deleted.
      • Inherits the default settings from the 'Default Settings' template, not the parent server's template.
      • Will inherit default settings from it's yet to be determined parent template (from the parent virtual server / top-level virtual server / primary server that the user is part of). There is no-multi-dimensional inheritance occurring.
      • Can only be used as a template for a sub-server.
      • Can be cloned.
      • If you clone this template, all the 'For use by' options are available.
      • Sub-Server templates only really work if they do not have mail, and the DNS is managed by the parent so the inheritance from the 'Default Settings' rather that the parent's template does not become and issue. When it does you must make copies of the 'Settings For Sub-Servers' template and work on them instead of a single template for Sub-Servers.
    • These are just like a normal Server Template Except:
      • When you select use 'From default settings ', the settings are inherited from parent template (from the parent virtual server / top-level virtual server / primary server that the user is part of). There is no-multi-dimensional inheritance occuring.
      • Not all categories are available (or should not be) i.e. 'Administration user'.
      • Can only be used as a template for a sub-server, unless the other types are ticked in 'For use by' and if used in one of the top level template roles, the inheritance will change it's source from the parent template to the 'Default Settings' template.

Account Plans

  • How to Setup a New Account Plan in Virtualmin | Hostwinds - What is an Account Plan in Virtualmin? Like packages in cPanel, Account Plans allow you to customize specific settings a user has access to based on their assigned plan.
  • Create an Account Plan (notes)
    • These control things like: Permissions, Features, Bandwidth and Disk Quotas.
    • Is equivalent to cPanel Packages + features if they were combined.
    • There are some issues with layout and settings matching between 'Edit Owner Limits' and 'Account Plans'
    • The 'Save and Apply' button will save the settings and then push them to all members of the plan.
      • This allows you to dynamically update plan memeber's settings without visiting each one individually.
      • This will override permissions set in Virtualmin --> Administrative Options --> Edit Owner Limits
        • 'Edit Owner Limits
          • This is where account stores these settings
          • The name is a bit misleading.
    • The 'Save' button will just save the template, no changes will be pushed to members.
    • A Sub-Server cannot have an account plan assigned to it. Account Plans can only be associated with the top-level Virtual Server.
    • A Sub-Server shouldn’t have an account plan associated with it, Account Plans should only be associated with the top-level Virtual Server.
  • Settings
    • Basic plan details
      • All settings can be pushed.
      • Pushed to: Virtual Server --> Manage Virtual Server --> Edit Owner Limits --> Virtualmin limits for server owner
      • Quotas
        • Account plans confusion - Virtualmin - Virtualmin Community
        • Quota refers to disk space.
        • Quota for entire server
          • includes other users created by the domain owner, e.g. mail users homes, too. (This is implemented by setting the group quota for the domain group, which all users in the domain are a member of.)
          • My interpretation scenarios:
            1. Top-Level Server + Sub-Servers
            2. Resellers + Their Clients
        • Quota for server administrator user
          • is the quota for the domain owner account (a user quota), and will apply to website content, database content (if databases are on the same filesystem as /home), etc.
    • Allowed virtual server features
      • Most settings can be pushed.
      • Pushed to: Virtual Server --> Manage Virtual Server --> Edit Owner Limits -->Allowed capabilities and features --> Allowed features for servers
      • Some options can only be selected here and used on the creation of a virtual server
        • Administration user
        • Home directory
      • What is ‘Allowed virtual server features’
        • These settings define what services are enabled for the Virtual Servers when the ‘Account Plan’ is applied, but they can be overridden when a user utilises ‘Edit Owner Limits’, perhaps this is why the notes keep referring to default settings.
        • These are permissions. They do not enable or disable services.
      • Default available features
        • Tooltip: When this option is set to Automatic (as it is by default), new top-level virtual servers will have their allowed features set based on those initially enabled when the server is created.
        • Tooltip Translation: if the service is enabled on Virtualmin, then enable the related permissons.
    • Allowed Capabilities
      • All settings can be pushed
      • Pushed to: Virtual Server --> Manage Virtual Server --> Edit Owner Limits -->Allowed capabilities and features --> Edit capabilities for virtual servers
      • Default editing capabilities
        • Automatic
          • Tooltip: If the Automatic option is selected, limits are determined based on whether the virtual server owner is allowed to create sub-servers or not (controlled by the Limit on number of virtual servers field). If so, he will have access to all capabilities. Otherwise, he can only manage users, aliases and edit web pages.
          • Tooltip Translation:
            • If the Virtual Server Owner can create sub-servers, enable everything, and if not, only enable:
              • Can manage aliases
              • Can Manage users
              • Can change domains password
            • He can also edit web pages.
          • Basic Questions on VirtualMin,WebMin,UserMin - #6 by JosephV - Help! (Home for newbies) - Virtualmin Community
            • This is an old post but might still be true, in the sense that above happens and then these tests are applied to then reduce functionality.
            • What “Automatic” means in that case is that it tries to determine what you’d want, based on other limits that are setup throughout the Server Templates and Account Plans.
            • For example, there’s a capability called “Can manage aliases?”.
            • Just above that in the Account Plan details, is an option named “Limit on number of aliases”. If the limit was set to 0 (meaning there are no aliases allowed), the “Automatic” setting would assume that the Virtual Server owner isn’t allows to manage aliases, and won’t display the option.
            • That’s just one simple example – there’s similar options scattered around the Server Templates and Account Plans.
        • Explain some options in Account Plans - Virtualmin - Virtualmin Community
          • Administration user
            • They’ll have a Virtualmin login that can manage the website(s) associated with the account.
          • Home directory
            • Exactly what it sounds like. They’ll have a home directory, which is necessary for serving any kind of web content or application or accepting mail or pretty much anything else.
          • Realistically, you pretty much always want both to be enabled, for any normal use of Virtualmin. Aliases don’t need/get either, and I’m guessing that’s kinda where the variability comes from.

Backup, Restore and Migrations

  • Backup and Restore
    • How to setup automatic MySQL database backups with Virtualmin - Virtualmin has an essential feature that can be used to enable automatic database backups. This tutorial shows how to enable weekly backups with Virtualmin.
    • Backup Virtual Servers: Download Via Link - #3 by cyberndt - Virtualmin - Virtualmin Community
      • Q: The option “Download Via Link” creates the backup and gives you a link for that download. I am asking where is the backup stored on the server? Does it get created in an directory? or, is it only a /tmp file?
      • A: it’s in the directory /tmp/.webmin/ until the link is clicked then it’s erased
    • Backup and Restoration – Virtualmin - Virtualmin provides multiple tools to help you keep good backups automatically. The first step after any installation of Virtualmin should probably be thinking about your backup procedures and setting up Virtualmin to automate those procedures for you.
    • Backup and restore (CLI) – Virtualmin - Virtualmin has the ability to backup and restore virtual servers either manually or on a set schedule, using the web interface. However, you can also use the command line programs listed below to make backups. This can be used for doing your own migration to other systems or products, or manually setting up custom backup schedules for different servers.
    • Backup and Restore for Webmin-Virtualmin VPS | Full Circuit | Elegant Solutions to Difficult Problems - How to backup and restore a website VPS using free Webmin/Virtualmin with s3cmd and Amazon S3 storage.
    • Backup Configuration Files | Webmin
      • Webmin --> Backup Configuration Files
      • Most Webmin modules work by editing configuration files on your system. Each module knows which configuration files it manages, and what commands need to be run to activate them. Not all modules actually deal with config files though - for example, the Database Server modules work by executing SQL commands. As such, it cannot participate in the configuration backup process.
      • The Backup Configuration Files module can collect information about config files from other modules, and create and restore backups containing some or all of those files. It is designed for saving the configuration of a single system, but not for migrating configs from one server to another - that would be far more complex.
    • Google Drive backups - #3 by apt_virtualmin - Help! (Home for newbies) - Virtualmin Community
      • rclone example: 
        rclone sync /your-local-backup-dir gdrive:/your-google-drive-path/
      • Virtualmin Pro supports Google Drive natively.
    • Follow symlinks when making backup - Virtualmin - Virtualmin Community
      • Q: Is it possible to set up the Backups module of Virtualmin to follow symlinks? I have part of my web site pointing to a mounted drive via a symlink and currently it doesn’t follow and backup those files.
      • A:
        • Virtualmin uses tar to make backups. By default, tar does not dereference symbolic links, meaning it archives the link itself rather than the file or directory it points to.
        • Luckily, you can change this behavior by passing to tar additional -h or --dereference option with
          • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Backup and restore --> Additional parameters to tar command
  • Setting Locations
  • Backup File
    • Where are the SQL files?
      • The databases are in the root of the archive and have a file extension starting with COM_MYSQL_ and aformat of COM_MYSQL_MYDBNAME
  • etckeeper
  • Migrations
  • Databases
    • Webmin --> Servers --> MariaDB Database Server --> Backup Databases
      • Click this button to setup the backup of all MariaDB databases, either immediately or on a configured schedule.
      • There is a configuration page when you click this button.
  • Error: No route to host
    • This error is caused when you do not have the DNS correctly set for your server's hostname. 
      Fatal Error!
Restore failed : Failed to transfer file : Failed to connect to dev.........uk:10003 : No route to host
    • You will still get this when you have the following checkboxes selected

Networking

  • NAT
  • Change Hostname
    • Webmin --> Networking --> Network Configuration --> Hostname and DNS Client --> Hostname
    • How To Change The Hostname In Virtualmin | Hostwinds - Typically, to change your server's hostname, you'd need to login to your server via SSH and issue the hostname command followed by the new hostname. However, with Virtualmin, you can actually change the hostname by using the Hostname and DNS Client module. This article focuses on teaching you how to locate this module and change your server's hostname.
  • DNS server = 127.0.0.53 ?
  • Nameservers
    • Changing default nameservers - Help! (Home for newbies) - Virtualmin Community
      • You can edit the nameservers used by Virtualmin for new domains in:
        • Virtualmin --> System Settings --> Server Templates --> Default --> DNS Domain
      • To edit NS records for an existing domain from within Virtualmin, you’d need to go into:
        • Virtualmin --> DNS Settings -> DNS Records
      • It’s possible to make changes to all DNS records at once by using the command line tools.
        • To see the available options, you can run “virtualmin modify-dns” fromt he command line.
        • You’d likely need to first run a command to remove the “NS” records, and then run another command in order to add the new ones.
    • DNS Frequently Asked Questions – Virtualmin
      • Virtualmin error: 127.0.0.1 isn't listed in /etc/resolv.conf
      • How do I setup nameservers for my server?

Locations of

To save spending ages re-finding files and other things i have made a litte collection of locations here to help.

Repositories

Files

  • Webmin
    • Code/.pl/.cgi
      • /usr/share/webmin/
      • /usr/share/webmin/webmin/
    • Webserver
      • /usr/share/webmin/miniserv.pl
    • All Webmin configuration files
      • /etc/webmin/
    • Settings
      • /etc/webmin/webmin
  • Virtualmin
    • Code/.pl/.cgi
      • /usr/share/webmin/virtual-server/
    • Webmin module settings
      • /etc/webmin/virtual-server/
    • Server Templates
      • /etc/webmin/virtual-server/templates/<template_id>
    • SSL (when not in user's directories) Per-domain directory under
      • /etc/ssl/virtualmin
    • Main config file
      • /etc/webmin/virtual-server/config
    • Server Template Wizard
      • Wrapper
        • /usr/share/webmin/virtual-server/edit_tmpl.cgi
      • Individual Section Templates (this builds the forms and tables)
        • Website for domain + PHP options: /usr/share/webmin/virtual-server/feature-web.pl
        • Mail for domain: /usr/share/webmin/virtual-server/feature-mail.pl
        • Spam filtering: /usr/share/webmin/virtual-server/feature-spam.pl
      • Example modification of a Server Template option
    • Virtualmin Internal Default Holding page(s) template (eg Domain default page)
      • /usr/share/webmin/virtual-server/default/
    • Virtualmin Pro Subdirectory (Commercial Code)
      • /usr/share/webmin/virtual-server/pro/
  • Usermin
    • Code/.pl/.cgi
      • /usr/share/webmin/usermin/
    • Settings
      • /etc/usermin/
    • Webmin module settings
      • /etc/webmin/usermin/
  • Authentic Theme
    • Code/.pl/.cgi
      • /usr/share/webmin/authentic-theme/    
    • Webmin module settings
      • etc/webmin/authentic-theme/
    • Manifest template
      • /usr/share/webmin/authentic-theme/manifest.template
    • Built manifest file
      • /etc/webmin/authentic-theme/manifest-webmin.json
  • Services
    • BIND Zone files
      • /var/lib/bind

SSL Certificates / Lets Encrypt (LE)

  • General
    • Virtualmin --> Manage Virtual Server --> Setup SSL Certificate
    • If your domain is not pointing to your Virtualmin server, then a Lets Encrypt Certificate will not be requested and it will have to be done manually later.
    • Once you have manually added an Lets Encrypt Certificate, Virtualmin will keep it updated via one fo the CRONs
    • LE Cert = Lets Encrypt Certificate.
    • How to add an SSL certificate – Virtualmin - These instructions will tell you what fields to fill in, if not already.
    • SSL and Virtualmin – Virtualmin
    • Free SSL Certificate (Lets Encrypt) – Virtualmin - This page will provide instructions for requesting a Let's Encrypt SSL certificate in Virtualmin.
    • Challenge Types - Let's Encrypt
      • HTTP-01 challenge: Validation by using your website.
      • DNS-01 challenge: Validation by DNS entries. This is required for creating wildcard certificates.
      • TLS-SNI-01: depreceated
      • TLS-ALPN-01: The challenge is done over TLS.
    • For anyone having issues with certificates expiring, you can run the following command on the server to get a list of certificates sorted by expiry date. 
      virtualmin list-certs-expiry --all-domains
  • If Lets Encrypt SSL Certificate is not created when you create a Virtual Server, but instead you get a self-signed one instead. All of the settings are correct and you have got no warnings, what is the issue?
    • If your domain does not resolve to your server, you will not get a Lets Encrypt certificate because validation will fail.
    • If you do have Show Let's Encrypt error at domain creation time? you will not get any error messages about this.
    • If the LE cert fails at domain creation, then you have to manually enable it in the Virtual server after the fact, and then it will stay automatic
  • Enable Wildcard for a domain
    • Virtualmin --> Web Configuration --> Website Options --> Website matches all sub-domains
    • Tooltip: If the virtual server's DNS domain is hosted on this system, Virtualmin will also add the wildcard * DNS record when Yes is selected.
    • How to add a wildcard or multi-domain SSL certificate – Virtualmin
    • Let's Encrypt wildcard certificate - Virtualmin - Virtualmin Community
      • You cannot validate for a wildcard certificate without using DNS validation. And, you can’t use DNS validation if you aren’t managing DNS with Virtualmin.
      • You generally should not use wildcards. They have security implications on top of being more difficult to validate, if you’re not hosting your own DNS.
      • A website cannot be used to validate a wildcard cert with Let’s Encrypt.
  • These need to be on for Lets Encrypt Certificates to be created
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Show Let's Encrypt error at domain creation time?
      • Tooltip: When set to Yes, Virtualmin will attempt to request a valid Let's Encrypt SSL certificate for new virtual servers. This will only succeed if they have a domain name which is resolvable from outside your system, so that it can be looked up by the Let's Encrypt service.
      • This options needs to be on
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Request Let's Encrypt certificate at domain creation time
      • Virtualmin will do (by default) a connectivity check before even requesting a SSL certificate from Lets Encrypt. This extra check can be disabled with 'Yes and skip connectivity check'.
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Create host default domain with Let's Encrypt certificate
      • This allow you to add an SSL for the servers hostname (ie. the domain name you gave to your Virtualmin server eg: server.example.com).
      • This feature in Virtualmin sets up a default domain with your hostname. This domain is hidden and doesn't serve any special function. It's there to improve your experience by ensuring you can log into Virtualmin with a valid SSL certificate right after installation.
      • Virtualmin --> System Settings --> Re-Check Configuration
        • This is required to apply any changes of the `Create host default domain with Let's Encrypt certificate`option.
      • Options
        • Yes, and keep visible = A virtual server will appear in your list of virtual servers and stay there allowing you to edit it as a normwal virtual server.
        • Yes = This just presents the domain while it is doing the Let's Encrypt SSL handshakes and then hides it again.
      • You can actually use any virtual server and the correct port to access Virtualmin, using that Virtual Server's SSL certificate so you do not actually need a real SSL on your hostname.
      • How to get LE certificate for the now hidden host? - Virtualmin - Virtualmin Community
      • Let's Encrypt certificate for Virtualmin host itself? [SOLVED] - #2 by calport - Webmin - Virtualmin Community
        • Why? Just login to Webmin on the hostname of one of your Virtualmin managed domains. Webmin will use the cert for that domain name.
        • Webmin can request Let’s Encrypt certs for itself in Webmin the Webmin SSL configuration page, but it’s trickier, since it has less certainty about how things are setup than Virtualmin does.
        • create a virtual server with the hostname of the Virtualmin server
          • I think this is automatically done during Virtualmin installation, if it can be done and the hostname resolves. (This automatic domain is a “free” domain for Pro users. And it can’t have mail, for some technical reasons that are the same reasons we tell people don’t name your server the same as a domain you’ll be managing in Virtualmin.)
          • I’m ambivalent about whether this is a good feature (mostly leaning toward “not a good feature”, but Ilia and Jamie like it, so it stays). I think I prefer keeping things simple and just using Virtualmin domain names to login to Virtualmin. Then you don’t have to ever think about the name of the server itself…which is mostly irrelevant.
  • http needs to be available for your first LE certificate (maybe not anymore)
    • The reason is that if you do not have a valid SSL certificate and you have enforced https by using HSTS or rewrite then Lets Encrypt will fail the process.
    • If your SSL certificate is valid/truested, i.e.e you are renewing, then HSTS or redirects (http --> https) will cause not issue as LE allows this.
    • HSTS and Let's Encrypt - #4 by schnappijedi - Server - Let's Encrypt Community Support
      • If you have that redirection in place, Let’s Encrypt will respect it and follow it. This means that you don’t need to disable the redirection to perform certificate renewals with Let’s Encrypt. A setup with HTTP → HTTPS redirection, with or without HSTS, is perfectly fine for Let’s Encrypt.
      • or the HTTP-01 validation method, Let’s Encrypt will
        • require an initial valid HTTP response on port 80
        • follow any HTTP 301 redirections, to the same or a different host, in either HTTP or HTTPS protocols
        • ignore any mismatched or expired certificates on HTTPS URIs reached as a result of such redirections
        • ignore the presence of HSTS (that is, the validation always starts with HTTP on port 80)
  • Current SSL Certificate - Buttons
    • Virtual Server --> Manage Virtual Server --> Setup SSL Certificate --> Current Certificate
    • On this page there are some buttons but they just need some clarification
    • Certificate not installed
      • Copy SSL Certificate to Services
        • Install this certificate on this Virtual Server for use by the attached services on this domain, such as email and websites.
        • If Let’s Encrypt is enabled, Virtualmin will automatically install the certificate for you.
        • The description text implies the certificate will only be used for Dovecot, however after reading the options when the certificate is installed, I think this text needs updating.
      • Set as Default Services Certificate - Install this certificate as the Virtualmin Server Default SSL certificate.
    • Certificate installed
      • Remove SSL Certificate from Services - As the description says, it will remove the certificate from all services it has been installed into.
      • Set as Default Services Certificate - As above.
    • Links

Virtual Servers

General

  • Can a Sub-Server Be Created at Top Level? - Virtualmin - Virtualmin Community
    • You can convert a sub-server into a top-level domain.
    • I’m not sure I understand what you’re describing, but I’ll mention the following two things that may be useful to keep in mind when migrating from cPanel:
      • Subdomains are just names in Virtualmin. It doesn’t care. A name is a name. sub.domain.tld can be a top-level domain, or it can be a sub-server of domain.tld or it can be a sub-server of some other domain.tld. It doesn’t matter, it’s a name.
      • Sub-servers are about ownership in Virtualmin. That’s it. A sub-server is owned by some other top-level domain account and lives in a subdirectory within that user’s home (this is a compromise, but it’s to ease administration, permissions, and backups). A subdomain has no technical reason to be a sub-server, and there is no limit on what you can name a sub-server (unless you impose one with configuration).
  • How to Change Virtual Server Owner’s Password | Virtualmin — Open Source Web Hosting Control Panel
    • Virtualmin --> Edit Virtual Server --> Configurable settings --> Administration password

Creating

Moving and Renaming (on server)

  • General
    • When you move a Virtual Server, the files are moved aswell.
  • Sub-domain account type
    • Sub-domains accounts are not sub-servers. They are only created when you import a cPanel archive (by design) and are not the preferred method.
    • Virtualmin for cPanel Users – Virtualmin
      • cPanel is an old, but still very popular, webserver administration tool. Since many new Virtualmin users have only experienced system administration through cPanel, they may find some terms and concepts in Virtualmin new or confusing. This short guide will attempt to point out a few of the gotchas that we've found most commonly trip up former cPanel users trying out Virtualmin for the first time.
      • cPanel has a type of domain account called a "sub-domain", which creates a new virtual host that only provides web service and puts the content into a subdirectory of the document root of the parent domain.
    • Sub-server like a Top-level server - #2 by tabletguy - Help! (Home for newbies) - Virtualmin Community
      • sub-domain account types are deprecated, and were never a good idea…we added them to make a few cPanel users more comfortable, but it confused everybody else
  • Default Sub-domains/Alias
    • When you create a virtual server the following 'sub-domains' are created:
    • These do not count towards your domain limits.
  • Sub-Servers
    • These allow you to add sub-domains or other domains under one Webmin account while maintaining a completely different hosting environment for each of them.
    • cPanel sub-domains all share the same hosting environment.
    • How to create a sub-server – Virtualmin
      • This tutorial will cover how to create a sub-server, allowing for a second domain to be setup within a given Virtual Server account.
      • A sub-server is also the recommended way to create a sub-domain website that is owned by the parent domain. Sub-servers are not limited to sub-domain names, but they work well for hosting sub-domains.
  • Change Domain Owner / Rename Domain
    • You can promote between parent and sub-server
    • You can move a sub-domain between owners
    • Sub-servers share their DNS with their parent. This reduces duplication of DNS records by having a single DNS Zone.
    • Changing the owner's username, this can be done at
      • Virtualmin --> Manage Virtual Server --> Change Domain Name.
    • Transferring a sub-server to another parent top-level server, this can be done at
      • Virtualmin --> Manage Virtual Server --> Move Virtual Server.
      • This page allows you to convert this top-level server into a sub-server under an existing domain.
    • Convert a sub-server to parent
      • Virtualmin --> Manage Virtual Server --> Move Virtual Server
      • Select Convert to parent, and it will…convert the sub-server to a parent (non-sub-server) virtual server
      • This option might only appear when you have at least one sub-server.

Restrictions

  • General
    • Limit what a Server owner can access and configure - Help! (Home for newbies) - Virtualmin Community
      • Account Plans
        • Virtualmin --> System Settings --> Account Plans
        • There’s a number of screens in there that allow you to tweak what exactly a user has access to when you create a Virtual Server for them.
        • You could also make different Account Plans – one with certain options disabled, and another with all those options enabled.
      • SSH
        • As far as SSH goes – the key there would be to make sure users who should not have SSH access don’t have a login shell.
        • To disable SSH by default, you can go into System Customization -> Custom Shells, and look for the shell where both “Admin” and “Default” is set. Chances are, that shell is “/bin/bash” or perhaps “/bin/sh”.
        • Uncheck “Default”, look for the “/bin/false” shell, and make sure it has “Admin” and “Default” checked. This will prevent SSH logins by default.
        • *** You just forgot to mention that I had to check “Enable” in the new custom shell but it was clear anyway
      • Modules
        • Q: everything below the webmin modules is still active. can i disable these for specific server owners?
        • A: Those are configurable within the Server Template
          • Virtualmin --> System Settings --> Server Templates --> Default -> Administrators Webmin modules.
  • Limit Bandwidth / Bandwidth Monitoring
    • Bandwidth Monitoring | Webmin - About The Bandwidth Monitoring module can be used to create simple reports on bandwidth usage by port, host, protocol and time for traffic sent from or routed through your system. It is useful for both stand-alone hosts, and those that act as a gateway (possibly with NAT) for a network.Before it can be used, the module must setup several firewall rules and a syslog entry to capture traffic sent and received via your system.
    • Bandwidth monitoring and limits are extremely resource intensive, by necessity. It has to deal with every packet in and out of the system, so it requires some extra CPU and disk space to work.
    • The Pro version has a feature to email users/clients when certain limits are reached.
    • Enable Bandwidth monitoring
      • Virtualmin --> System Settings --> Bandwith Monitoring
        • Bandwidth monitoring active: Yes
        • Disable servers that exceed limit: Yes
        • Re-enable servers that fall below limit: Yes
        • NB: This page can be used to enable bandwidth accounting for virtual servers, to notify server owners and the master administrator when a server exceeds its allowed bandwidth.
      • To change the bandwidth quota
        1. Log into the control panel (as root)
        2. Choose the Virtual Server in question from the select list
        3. Virtualmin --> Edit Virtual Server --> Quotas and limits --> Bandwidth limit
          • NB: this will only appear if you have Bandwidth monitoring enabled.
    • Bandwidth Usage
      • This will show per domain, per ay the bandwidth usgae
        • Virtualmin --> Logs and Reports --> Bandwidth Graph
  • Disk Quotas
    • Disk quotas are enforced in the GPL version as well as Pro.
    • To change the disk quota
      • Log into the control panel (as root)
      • Choose the Virtual Server in question from the select list
      • Virtualmin --> Edit Virtual Server --> Quotas and limits --> (Total server quota | Server administrator's quota)
  • Edit Resource Limits (Pro only)
    • Virtualmin Professional - Resource Limits | Virtualmin
    • Limited Ressources for customers - Help! (Home for newbies) - Virtualmin Community
      • Q: Is there a solution how i can set the maximum cpu usage or memory for users?
      • A:
        • Virtualmin --> Manage Virtual Server --> Edit Resource Limits
        • You can tweak options for the maximum number of processes, process size, and CPU time.
        • What I believe it does is tweak /etc/security/limits.conf, which is something you can do manually as well. That’s an OS thing, not a Virtualmin thing.
    • How to set CPU & Memory limits for Virtual Servers (PRO)? - Help! (Home for newbies) - Virtualmin Community
      • just purchased the Pro version of Virtualmin and based on Googling was hoping to be able to limit user’s CPU and Memory usage. I can’t seem to find any of the options, so my question is… where can I find the options to limit how much CPU & Memory each Virtualmin user can consume?
      • Virtualmin --> Manage Virtual Server --> Edit Resource Limits --> Resource Limits
      • Q: Is there anything else I should / could check in order to activate the feature?
      • A:
        • In order to have this feature displayed:
          1. You need to be a master admin
          2. Your OS type should be set correctly as linux on Webmin config (cat /etc/webmin/config | grep os_type)
          3. There should be a file on your system called /etc/security/limits.conf, meaning the package libpam-modules must be installed
          4. You must be able to edit a domain and a domain must have a correspondent unix user (can be checked in a domains configs under /etc/webmin/virtual-server/domains by finding the domain config file and checking for unix=1 option).
        • All of this is the case of default installation. If you’re missing something try to remember what you have changed manually.
        • Also check that your Pro install went correctly. Check that you have a file edit_res.cgi under /usr/share/webmin/virtual-server/pro directory.
        • Ok, thanks! The last part revealed I didn’t complete the upgrade process. I thought it would be enough just to add the licence via terminal. Googled a bit more and found that I had to run the upgrade process via Virtualmin admin!
    • Does Virtualmin have limit CPU cores or CPU percent and RAM usage for each Account Plans? - Virtualmin - Virtualmin Community
      • khanhpkvn
        • Q: I have the (Virtualmin --> Manage Virtual Server --> Edit Resource Limits) menu. But "Edit Resources Limits" does not have CPU Core limits, it only has CPU "Number of processes". I want to able to limit CPU Cores/CPU Percent Usages and RAM per Account Plans.
        • A:
          • We use pam_limits (limits.conf) for these features, which do not have that sort of capability. cgroups can do it (sort of, though it also doesn’t think of CPU limits the way humans do), but we don’t yet have that support in Virtualmin. It’s on the todo list, but for now, there are a few ways you can have applied equally to all users, or based on a secondary group.
          • If you want all domains to have the same limits, the templates example at the bottom of this would be pretty quick to implement:
          • If they need to be different and selected at creation time or when moving from one account plan to another, it’d take either a little bit of scripting in a Server Templates post-update script, or just adding a secondary group (in Administrative user->Add domain owners to secondary group) and then setting up a group for each size, would work, I think. Since Account Plans can select the Server Template to use, this could make it all handled via choosing an Account Plan.
          • At least, I think setting it up with one group per “size” would work. I haven’t tried and the docs aren’t clear if every user in the group shares the same group limit or if they each get their own pool of resources. I need to read up some more, as I think we’d like to try to get it supported by Virtualmin 8, now that all of our supported distros have systemd (which, realistically, is required for cgroups support…theoretically one could use cgroups without it, but it’d be complicated to DIY a solution, I think).
    • What happens when updating from GPL to Pro to a server with ~30 domains? Pro has limit to 10 domains. - Virtualmin - Virtualmin Community
      • yngens
        • I just need to limit CPU and RAM consumption for couple of too much aggressive virtual servers
      • Eric
        • Ah, you can actually do all that on a system running Virtualmin GPL – you would just need to update the config file manually.
        • The settings that Virtualmin Pro edits for CPU and RAM usage are located in /etc/security/limits.conf.
        • Virtualmin Pro offers a GUI which allows you to set the cpu, rss, and nproc parameters… though there’s a number of additional parameters in there that you can tweak.
        • You can see some examples at the top of the limits.conf file, and some additional examples by running “man limits.conf”.
        • The CPU and RAM limits you can set are per-process though, and not per Virtual Server.
      • yngens
        • if I am not mistaken ‘/etc/security/limits.conf’ regulates resource usage time, not their power. I can’t set, for example, 20% of CPU and RAM consumption per virtual server.
      • Eric
        • No, those settings don’t allow you to set a specific percentage of the CPU or RAM that can be used for a given Virtual Server.
        • Those parameters each affect one specific process – so you can say how large a process a given user may create, or how much CPU time that process can use.
        • But, you can’t say “User N can use 20% of the CPU”.
        • Normally to achieve that sort of control, you’d look into separating a given user’s processes into a VPS, which can be more easily managed.
        • That said – there’s a new Linux kernel feature called cgroups which allows more functionality in that regard… it may be worth exploring the use of that in Virtualmin. It would take some time before that feature were supported, but we should probably take a look at that and see if it might be relevant for solving this particular problem :slight_smile:
        • However, you could always look into setting that up manually in the meantime. You can read about cgroups here: cgroups - Wikipedia

Importing from cPanel

  • Migration from cPanel to Webmin/Virtualmin - Interserver Tips - Virtualmin can import the accounts from cPanel by taking the complete cPanel backup file including all mailboxes, databases, contents,.. etc. This kind of migration process is much faster than others but need a special attention because some of the features of Webmin is not enabled automatically when you migrate the site. The site will work after migration but need to enable special features that only specified by the Webmin with care and testing. To copy or transfer all the services from cPanel to Virtualmin, first of all we need to take the fresh backup of them. We can generate the full cPanel backup by using the following steps:
  • Virtualmin for cPanel Users – Virtualmin - This short guide will attempt to point out a few of the gotchas that we've found most commonly trip up former cPanel users trying out Virtualmin for the first time.

Servers / Services

General

Apache (HTTP)

  • General
  • HTTP/2
    • HTTP/2 is enabled by default in Virtualmin
    • The HTTP protocols are: 
      Defined here: /etc/apache2/mods-available/http2.conf
Defined as: Protocols h2 h2c http/1.1
    • Webmin --> Servers --> Apache Webserver --> Global configurations --> Configure Apache Modules --> http2 = enabled
    • Virtualmin --> Web Configuration --> Website Options --> Enable HTTP2 protocol support = Default (Yes)
    • Virtualmin, Webmin and Usermin do not run under Apache or Nginx, They use miniserv.pl and this does not have HTTP/2 support.
  • Common Errors
    • Ubuntu default holding page is shown
      • Fix
        • Complete the Virtualmin setup process
        • Create at least one virtual server in Virtualmin.

    • 403 Forbidden
      • Fix = Create an index.html or other viable index file.

    • Virtualmin Holding page is shown
      • Fix = Add some content into the virtual sever.
    • 503 Service Unavailable
      • A Scenario
        • When I created a new virtual server (example.com) and then a sub-server (testest.example.com), this broken some of my other sites and they gave me the 503 error.
      • Solution
        1. Webmin --> System --> Bootup and Shutdown (Systemd)
        2. Make sure the relevant PHP services are set to 'Start at boot'.
        3. Restart the affected PHP services even if they say they are running.
        4. If the above does not work, consider rebooting the whole server.
      • Links
        • Apache 503 error - Here's how we nailed it
          • Apache 503 error means the server was temporarily unable to handle the website request. Service becomes unavailable due to wrong Apache, PHP settings.
          • Includes diagnostic steps.
        • Website gives 503 error when VPS is restarted - #8 by tpnsolutions - Help! (Home for newbies) - Virtualmin Community
          • Are you running multiple versions of PHP?
          • If so, it might be a different version of PHP-FPM that you need to restart.
          • The issue was simply this: both services related to FPM (php-fpm.service and rh-php72-php-fpm.service) were not enabled by default on systemd. So I have simply enabled them and now I can reboot the VPS without any problems.
          • Even if the service appears to be “up” it looks like it’s become defunct.
          • Restarting the php-fpm does nothing, only saving php options (without changing anything) solves the problem. So there is something else on the saving php script that does the trick, but I don’t know what.
  • 'Options +FollowSymlinks' causes 500 error
    • Don't enable FollowSymlinks
      • This is insecure in shared hosting.
      • SymLinksIfOwnerMatch is more secure and does the same as FollowSymlinks but also checks the owner's permissions.
      • FollowSymlinks will cause 500 errors in Virtualmin because the default apache directives disable overriding this setting via htaccess files.
      • followsymlinks on apache why is it a security risk - Server Fault
      • Server templates not properly applied · Issue #749 · virtualmin/virtualmin-gpl · GitHub
        • So the change from FollowSymLinks to SymLinksIfOwnerMatch is intentional as a security measure - otherwise, the owner of one domain could create a symlink to files in another domain's directory that are not normally accessible via the web, and make them accessible. The owners check prevents this.
      • Joomla 3.0 htaccess: Options +FollowSymLinks
        • FollowSymLinks is a vulnerability by itself on shared hostings, as it does NOT check for owners and thus allows customers to access any part of the system, including other accounts on the same server. It thus is / should be disabled by now on most hosting panels.
        • The new Apache2 directive to use is: Options +SymLinksIfOwnerMatch
    • Joomla
      • If this is enabled in your Joomla's .htaccess file, on Virtualmin, this will stop your website working, so change your file as follows: 
        Options +FollowSymlinks

-->

#Options +FollowSymlinks
Options +SymLinksIfOwnerMatch
    • General
  • Symlink directives - location and purpose
    • The Apache directory options are controlled in the Virtualmin GUI here:

      • Virtualmin --> Web configuration --> Configure Website / Configure SSL Website --> Document Options
      • Webmin --> Servers --> Apache Webserver --> Virtual Server --> Document Options
    • Webmin --> Servers --> Apache Webserver --> Global configuration --> Edit Config Files
      • This directive file is loaded by all virtual host before their specific directive file.
      • The 'AllowOverride None' directive disables the use of .htaccess files in this directory,
      • This is the 'Directives For default server' 
        # Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>  -- this might be to allow virtualmin to work with allowing clients to use this
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>
    • Webmin --> Servers --> Apache Webserver --> Existing virtual hosts --> Type: 'Default Server' --> Show Directives
      • The server configuration by default has 'FollowSymLinks' disabled and cannot be overridden in a htaccess
      • Edit the 'Directives For default server' and you will see 
        <Directory />
 Options FollowSymLinks                                    /etc/apache2/apache2.conf (160)
 AllowOverride None                                        /etc/apache2/apache2.conf (161)
 Require all denied                                        /etc/apache2/apache2.conf (162)
</Directory>
    • Virtualmin --> pick a domain --> Web Configuration --> Configure Website / Configure SSL Website --> Edit Directives
      • This directive allows SymLinksIfOwnerMatch and is read after the default apache directives. 
        <Directory /home/example/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Nginx

I have not used this.

ProFTPd (FTP)

  • General
    • FTPeS, FTPS, Explicit FTP over SSL/TLS - General Discussion - Virtualmin Community
      • Describes where to enable 'FTP over SSL/TLS' in many different softwares.
      • Gives a list of the different names that have been assigned to 'FTP over SSL/TLS'.
    • Security Questions – Virtualmin
      • How can I prevent FTP Users from Browsing the Entire Filesystem?
        • If you want to limit the ease of which an FTP user can browse the server, you can setup FTP directory restrictions in Limits and Validation -> FTP Directory Restrictions. That would allow you to lock an FTP user into their home directory.
        • Note that this only prevents an FTP user from browsing the system, there are other ways in which a user can do the same thing.
        • Virtualmin --> Limits and Validation -> FTP Directory Restrictions
      • How can I prevent other types of users from browsing the entire filesystem?
        • On Linux/UNIX-based systems, users can browse to any file or directory they have permission to view.
        • That means any file or directory setup as world readable is visible to your users. In general, this is not a problem. The private data of other users is not something your users can browse by default.
        • Linux and UNIX systems weren't designed to act as jails, completely hiding one user from another.
        • Files that aren't okay for your users to see aren't made world readable.
        • Even if you were to jail an FTP user into their home directory, a web-based file manager would allow that user to browse world readable files on your server, since they still have permission to access them.
      • I just setup my server, and installed Virtualmin. Are there any steps I can take to improve the server security?
    • ProFTPD: FTP and SSL/TLS - Config examples for TLS on ProFTPd.
  • FTP user home directory restrictions
    • By default Owner's accounts are restricted to the root of their home directory, but this can be changed by updating a permission.
      • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Server administrator permissions --> Can select home directories for users
      • If enabled, the domain owner can choose to give users a different home directory than the default. It may be useful if domain owners can install additional services, like an application server (i.e. Zope, Webrick, etc.), and they'd like to be able to use a different user for the app server. Generally, only users that have a relatively high level of trustworthiness will need this kind of flexibility.
    • Secondary FTP users can either be locked to the owner's home root directory or to a specified subdirectory.
      • Virtualmin --> Edit Users --> Add a website FTP access user --> Quota and home directory settings --> Home directory:
    • Control home directories, directly with ProFTPd
      • Webmin --> Servers --> ProFTPd Server --> Files and Directories --> Limit users to directories:
      • I don't know how this differs from the options above, but here it is anyway. Perhaps if I made changes with the above options then those would be refelcted on this page.
  • Force TLS on FTP
    • This currently does not have any options in the GUI to enable this, but can be done by modifying the config files.
    • ProFTPd - Add GUI option to enforce TLS/FTPS easily · Issue #2045 · webmin/webmin · GitHub - Reported on GitHub
    • Solution
      • Edit the config file - Webmin -->Servers --> ProFTPD Server --> Edit Config Files --> Editing config file: /etc/proftpd/conf.d/virtualmin.conf
      • Enforce TLS  by changing: 
        TLSRequired off --> TLSRequired on
      • Optionally, add the following to declare what TLS protocols are allowed. Add this just below 'TLSRequired' They have to be installed on the system to work. The example below is just to give you context, you probably only want TLSv1.2. 
        TLSProtocol TLSv1 TLSv1.1 TLSv1.2
      • Save the config.
      • Apply the changes (this will restart the ProFTPD service).
  • Connection Issue - Status: Server sent passive reply with unroutable address. Using server address instead.

PHP

MultiPHP
  • Installing additional versions (Virtualmin)
    • When you install a newer version of PHP-CLI this will change the system default PHP to this new version and you will need to manually change it back using a command such as update-alternatives if required.
    • When you remove the system default PHP-CLI, the highest remaining PHP version will become the new system default.
    • Multiple PHP Versions – Virtualmin
      • Managing and installing multiple PHP versions.
      • Adding another PHP version is outlined on this page. 
        LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php && apt-get update

apt-get install php8.1-{cgi,cli,fpm,pdo,gd,mbstring,mysqlnd,opcache,curl,xml,zip}
    • My Upgraded commands (use these)
      • Install additional PHP versions will all the required modules
        ## Suitable for Joomla, WordPress (Required + Highly Recommended + Fallback + Cache) and General Hosting
apt-get install php8.1-{cli,fpm,opcache,common,bcmath,bz2,curl,gd,imagick,imap,intl,ldap,mbstring,mysql,readline,soap,tidy,xml,xmlrpc,zip}
      • Install all of my recommended PHP modules to all of the installed versions of PHP, this is good to make sure all the versions have the same modules. 
        for php in $(ls /etc/php); do sudo apt-get install -y "php$php-"{cli,fpm,opcache,common,bcmath,bz2,curl,gd,imagick,imap,intl,ldap,mbstring,mysql,readline,soap,tidy,xml,xmlrpc,zip}; done
    • PHP Interpreters
      • php8.1-cli
        • Command interpreter, useful for testing PHP scripts from a shell or performing general shell scripting tasks
        • If you want to run PHP from the terminal or SSH, then this is needed.
        • This should be install unless there is a specific reason not to
      • php8.1-cgi (not currently in my list)
        • Common Gateway Interface
        • By default, PHP is built as both a CLI and CGI program, which can be used for CGI processing. If you are running a web server that PHP has module support for, you should generally go for that solution for performance reasons. However, the CGI version enables users to run different PHP-enabled pages under different user-ids.
        • This is the slowest mode to run PHP in.
        • Allows CGI apps to run in the cgi-bin folder.
        • This is a legacy service and should not be installed unless you need it.
      • php8.1-fpm
        • FastCGI Process Manager, optimizing request handling.
        • This will install both PHP-FPM and FastCGI.
          • FastCGI
            • Currently this will not run FastCGI apps because this feature is not configured
          • PHP-FPM
            • This is the fastest mode to run PHP
            • This is the recommend standard for running PHP.
            • Will not run CGI apps.
    • Extensions Explained
      • Cache and Common
        • php8.1-opcache - Caches precompiled script bytecode to boost PHP performance.
        • php8.1-common - Offers functionalities common to various PHP modules / Documentation, examples, and common modules for PHP
      • Regular Extensions
        • php8.1-bcmath - Handles precise floating-point arithmetic and is used when working with precision floats
        • php8.1-bz2 - bzip2 module for PHP
        • php8.1-curl - lets you make HTTP requests in PHP
        • php8.1-gd - Image manipulation library for working with images
        • php8.1-igbinary (not currently in my list)
          • Igbinary is a drop in replacement for the standard PHP serializer.
          • Instead of the time and space consuming textual representation used by PHP's serialize(), igbinary stores PHP data structures in a compact binary form. Memory savings are significant when using memcached, APCu, or similar memory based storages for serialized data. The typical reduction in storage requirements are around 50%. The exact percentage depends on the data.
          • Perhaps only use this is you have enought resources and a full cache system in place.
          • This is rcommend by the WordPress requirements page.
          • I have not seen any hosting companies use this.
          • GitHub - igbinary/igbinary
        • php8.1-imagick - Image processing with ImageMagick.
        • php8.1-imap - These functions enable you to operate with the IMAP protocol, as well as the NNTP, POP3 and local mailbox access methods.
        • php8.1-intl - Supports international character sets.
        • php8.1-ldap - LDAP module for PHP
        • php8.1-mbstring - used to manage non-ASCII strings / Manages multibyte character encodings.
        • php8.1-mysql - Provides APIsfor working with MySQL databases
        • php8.1-pspell (not currently in my list)
          • These functions allow you to check the spelling of a word and offer suggestions.
          • TinyMCE | spellchecker - uses this for spell checking
          • Pspell extension moved from PHP Core to PECL - PHP 8.4 • PHP.Watch
            • The Pspell extension provides spell-checking features to PHP using Pspell or Aspell. The dependencies of this extension have not received any updates for the past few years, and the Pspell extension was moved away from PHP core to a PECL extension in PHP 8.4.
            • The Enchant extension (part of PHP core) is another extension providing spell-checking functionality to PHP. Unlike Pspell which only supported Pspell and Aspell, Enchant provides support for a wide list of backends including Hunspell and Ispell as well as Pspell/Aspell. The Enchant extension is not a direct drop-in replacement for Pspell extension functionality.
        • php8.1-readline - Facilitates interactive terminal input.
        • php8.1-snmp (not currently in my list)
          • The SNMP extension provides a very simple and easily usable toolset for managing remote devices via the Simple Network Management Protocol.
          • Only found this on cPanel servers so it might be a very niche usage.
        • php8.1-soap - The SOAP extension can be used to write SOAP Servers and Clients. It supports subsets of » SOAP 1.1, » SOAP 1.2 and » WSDL 1.1 specifications.
        • php8.1-tidy - Tidy is a binding for the Tidy HTML clean and repair utility which allows you to not only clean and otherwise manipulate HTML, XHTML, and XML documents, but also traverse the document tree, including ones with embedded scripting languages such as PHP or ASP within them using object-oriented constructs.
        • php8.1-xml - For XML parsing and manipulation. / DOM, SimpleXML, XML, and XSL module for PHP
          • Also provides: dom,SimpleXML,xmlreader,xmlwiter,xsl
        • php8.1-xmlrpc
          • Provides XML-RPC server and client functions.
          • http://xmlrpc.com/
          • What is XML-RPC? - It's a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.
        • php8.1-zip - Manages zip file operations and for working with compressed files.
  • Install Command Build Notes
    • PHP: Extension List/Categorization - Manual
      • Full list of official PHP extensions.
      • This appendix categorizes more than 150 extensions documented in the PHP Manual by several criteria.
    • cgi,cli,fpm
      • These might not all be required and you should remove them as required.
      • Add notes from forum post
    • Some modules are built into the PHP binary at compile time such as: json,openssl,pcre,zlib and a few others, which is why there are not in the list above. Different version of PHP might have slightly different inbuilt modules.
      • i.e json used to be a separate modul,e but is now required to be added in at compile time.
    • Linux Packages can contain multiple PHP Extensions and PHP Extensions can contain multiple modules.
    • CMS Requirements
      • Server Environment – Make WordPress Hosting - Although WordPress can work in almost any environment, even very minimal ones, it must be acknowledged that it does not work completely well in these. That’s why here we are going to make some minimum recommendations of the environment in which it would work most effectively when considering that most WordPress websites use third party plugins and themes which commonly introduce additional server-level requirements.
      • J4.x:Optional Technical Requirements - Joomla! Documentation - This page lists optional technical requirements which are not required to install and run Joomla! but are required for some internal APIs.
      • J5.x:Optional Technical Requirements - Joomla! Documentation - This page lists out optional technical requirements which aren't required to actually install and run Joomla! but are required for some dependencies running different internal APIs.
    • How to install or upgrade to PHP 8.3 on Ubuntu and Debian • PHP.Watch
      • A complete guide to install or upgrade to PHP 8.3 on Ubuntu 22.04 (Jammy), Ubuntu 20.04 (Focal), Debian 10 (Buster), 11 (Bullseye), and Debian 12 (Bookworm).
      • The php8.3-common package is a meta-package that installs several PHP extensions. It is possible to selectively disable individual extensions later. PHP Core extensions such as Date, Phar, JSON, ctype, and random are always included. It is not necessary nor possible to install them as separate packages.
      • Instead of installing php8.3-common, it is also possible to install individual packages. Installing php8.3-common is roughly equivalent to installing all of the extensions as shown below: 
        apt install php8.3-{calendar,ctype,exif,ffi,fileinfo,ftp,gettext,iconv,pdo,phar,posix,shmop,sockets,sysvmsg,sysvsem,sysvshm,tokenizer}
      • php8.3-cli installs the PHP CLI, and symlinks /usr/bin/php to /usr/bin/php8.3. See Running PHP 8.3 Alongside Other Versions for more information.
    • Required PHP Extensions For WordPress - WPQuickies - In this lunchtime WPQuickies, I'll be listing the required PHP extensions that WordPress needs to run properly.
    • WordPress Required PHP Extensions // WPAssist - WordPress needs PHP extensions to generate page content, update core and plugins and also for handling of file and image uploads. In this post, we have compiled a complete list of required PHP extensions for operating WordPress on a linux server.
    • How To Install PHP 8.1 and Set Up a Local Development Environment on Ubuntu 22.04 | DigitalOcean
      • This tutorial will guide you through installing PHP 8.1 on Ubuntu and setting up a local programming environment via the command line.
      • Gives a list of extensions to install.
    • How to Install PHP 8.3 on Ubuntu 22.04 or 20.04 - LinuxCapable
      • Commands to install PHP 8.3 on Ubuntu 22.04 or 20.04 LTS from a well-known PPA. Includes PHP 8.3 Apache, Nginx and Modules tips.
      • Gives a list of extensions to install.
    • Our PHP Modules | Hostgator - This article contains lists of the PHP modules and PEAR packages pre-installed on our server, as well as the basics for configuring the TimThumb script. Discover them all now!
    • Complete Guide on How to Install PHP Extensions on Ubuntu Complete Guide on How to Install PHP Extensions on Ubuntu - Ubuntu is a Linux distribution that is popular for web development, server hosting, and other applications. PHP is a server-side scripting language that is widely used for web development and is extensively supported on Ubuntu. In this article, we will discuss what are PHP extensions, and the advantages of installing them on Ubuntu. We’ll also discuss the steps on how to install those extensions on Ubuntu.
  • The Installation Process
    • Some of the specified packages will get installed as dependecies of other packages, however it does not harm having then in the list as it also makes it easy for the installer to know what is going to get installed. 
      root@example:~# apt-get install php7.1-{cgi,cli,fpm}

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  php7.1-common php7.1-json php7.1-opcache php7.1-readline
The following NEW packages will be installed:
  php7.1-cgi php7.1-cli php7.1-common php7.1-fpm php7.1-json php7.1-opcache php7.1-readline
0 upgraded, 7 newly installed, 0 to remove and 1 not upgraded.
Need to get 5270 kB of archives.
After this operation, 23.8 MB of additional disk space will be used.
Do you want to continue? [Y/n]
    • If the package has been almagamated into another package, you usually find it is now a virtual package (alias) to allow for compatability. 
      php-mysqlnd --> php8.1-mysqlnd --> php8.1-mysql
php-pdo --> php8.1-pdo --> php8.1-common
    • If you have specified a package to install that is already installed, the installer will just skip it.
    • If you have specified a package that has just been installed as part of an earlier package during the install, the installer will just skip it.
    • All the default PHP packages are aliases to the real version as shown below: 
      php-cgi --> php8.1-cgi
php-common --> php8.1-common
php-gd --> php8.1-gd
    • The command above cycles through the commands within {} and combines them with php8.1- to give for example php8.1-cgi and then these commands runs one after another.
    • After a package is installed, Ubuntu will keep a record of where it was downloaded from.
    • Not all PHP extensions have binary files you can download, they need to be added at compile time.
      • eg OpenSSL: This is compiled when you build PHP rather than it being a 'Dynamic Extension'.
    • When installing packages most the time there is a one to one relationship between them and the php extension you expect to be installed, this is not always the case. One package can install multiple extensions and also bring in other extensions via dependencies.
    • If you install a newer version of CLI PHP than the system default PHP, then the system default will be changed to this new version of PHP.
    • If you uninstall the latest version of PHP and this happens to be set as the system default PHP, the high remaining PHP version will become the system default verison.
    • This assumes it has the CLI version of PHP installed.
  • Ondrej Repository
    • The ondrej repository takes priority over the standard repositories. This will be checked for updates first.
    • This only hold PHP packages to allow the installation of additional PHP versions.
    • Most likely all of your PHP updates will no come from this repository, including for the system default PHP version.
    • Site Links
  • Installing additional versions and changing the system default php version
  • Remove old version of PHP
  • Changing a Virtual Server's PHP version
    • You must have multiple version of PHP to be installed for this to work.
    • You can configure the PHP version being used for a specific Virtual Server by selecting:
      • Virtualmin --> Web Configuration --> PHP Options.
    • What happens when a user swaps their PHP version?
      • The settings configured via the GUI are maintained between PHP versions. So Virtualmin must edit the config files as required when the version is changed.
      • Virtualmin --> Web Configuration --> PHP-FPM Configuration
    • Virtualmin - Install PHP 8.0 and update all sites - Dennis Tsang
      • This blog post outlines the steps of installing and configuring PHP 8 on an existing install of Virtualmin on a Ubuntu system
      • Then you can update all the Virtualmin sites to use the new version with this API command: 
        virtualmin modify-web --all-domains --mode fpm --php-version 8.0
PHP Information
  • Show PHP Version
  • PHP Module Config Files 
    /etc/php/
/etc/php/8.1/
/etc/php/8.1/cgi/
/etc/php/8.1/cli/
/etc/php/8.1/fpm/
/etc/php/8.1/mods-available/
    • You can look in the /mods-available/ folder to see what has been installed. This might not give the same results as php -m but should be close, if not the same.
  • Show Package Information
    • How to Check Dependencies of a Package in Ubuntu/Debian-based Linux Distributions - Installing applications via command line is quite easy in Ubuntu/Debian. All you need to do is to use apt install package_name.But what if you want to know the dependencies of a package before or after installing it? In this tutorial, I’ll show you various ways to see the dependencies of a package in Ubuntu and other Debian-based Linux distributions that use APT package management system. 
      apt show php8.1-fpm      - Gets info from Ondjre
apt show php8.1-fpm -a   - Gets info from Jammy repo
  • Check if a PHP Module is installed
    • Run one of these commands from the terminal to check if the particular PHP extension is available. You will get a result if the relevant extension is available. 
      ### System Default PHP Version

# Show compiled in modules
php -m

# Check for MySQLi
php -m | grep mysqli

# Check for MySQL PDO
php -m | grep pdo_mysql

# Check for MySQL Native Driver (mysqlnd)
php -m | grep mysqlnd
      ### Alternative PHP versions (installed from the Ondrej's PPA Repository)

# Show compiled in modules
/usr/sbin/php-fpm7.4 -m

# Check for MySQL MySQLi
/usr/sbin/php-fpm7.4 -m | grep mysqli

# Check for MySQL PDO
/usr/sbin/php-fpm7.4 -m | grep pdo_mysql

# Check for MySQL Native Driver (mysqlnd)
/usr/sbin/php-fpm7.4 -m | grep mysqlnd
    • PHP: Options - Manual | php.net
      • php -m = Show compiled in modules
    • How to List Compiled and Installed PHP Modules in Linux - If you have installed a number of PHP extensions or modules on your Linux system and you trying to list installed PHP extensions on your Linux system.
    • How to List Compiled PHP Modules from Command Line | Liquid Web
      • Want to know which PHP modules are installed on your server? Check out our tutorial on how to list compiled PHP modules from command line.
      • Covers cPanel.
    • The way I figured out where the binary was as follows
      • Webmin --> System --> Software Packages --> Search for Package: php7.4
      • Clicked on php7.4-fpm 7.4.33-8+ubuntu22.04.1+deb.sury.org+1
        • I wanted to know where the FPM binary was
      • List Files
        • This now shows all linked files
      • Sort by Type
      • Find the largest Regular File.
        • This will most likely be the binary file you want.
      • Get the the file path from this record and use it in the commands above as shown.
Global php.ini
  • Editing the global php.ini / PHP Configuration (cli/fpm/cgi)
  • Global php.ini - how they are used
    • Based on my research and feedback from Use the global php.ini for my sites instead of the copied one - Virtualmin - Virtualmin Community this is how the global php.ini files behave
      • default php (/etc/php.ini)
        • There is not GUI mechanism for editing this.
        • Unsure how this behaves.
      • cli
        • Unsure how this behaves.
      • cgi
        • These are only use as templates for your 'CGI wrapper’/FCGId PHP based Virtual Servers at the point of creation.
        • These files are copied as outlined below.
      • fpm
        • These are used by all Virtual Servers running PHP-FPM and clients can then override the values on a per Virtual Server basis if their permissions allow them.
    • DNS options - PHP Template configuration files (explained)

      This mechanism/feature does not affect PHP-FPM as that uses the global fpm php.ini and then uses a per Virtual Server override system using .conf files. I am not sure if .user.ini files will allow per folder overrides.

      • The php.ini Copy Mechanism
        • When you create a Virtual server, the 'CGI wrapper’/FCGId PHP global php.ini for each of the different versions installed (eg: 7.4, 8.1, 8.2) are copied in the following way to the virtual servers home directory. You will also note that symlink has been created to your servers php.ini file for the default installed version of PHP.
          # Copied Files
/etc/php/7.4/cgi/php.ini --> /root/home/example/etc/php.7.4
/etc/php/8.1/cgi/php.ini --> /root/home/example/etc/php.8.1
/etc/php/8.2/cgi/php.ini --> /root/home/example/etc/php.8.2

# Symlink
/root/home/example/etc/php.ini --> /etc/php.ini
        • These default destination of the files can be changed by using an option in the 'Server Template' (only works at creation of the Virtual Server).
          • Virtualmin --> System Settings --> Server Templates --> template --> Edit template section: Php options --> Template PHP x.x configuration file.

          • The tool tip says: By default, when a virtual server runs PHP scripts as the server's owner, Virtualmin will copy the system's global PHP configuration file (usually/etc/php.ini) to the domain's ~/etc directory. This allows PHP options to be set differently on a per-server basis.
      • The Why
        • The copied php.ini files are used for ‘CGI wrapper’/FCGId and they were/are a way of Virtualmin allowing each server to have their own php.ini settings.
        • This is useful:
          • If you wish to serve different versions of php in different directories of the same domain,
          • I believe that in future versions of the virtualmin module that you will be able to use FPM to achieve the same goal,
          • but just be aware in the current version of the virtualmin module, Virtualmin writes a symlink to ~/etc/php.ini which is linked to the version of php you have chosen (e.g 8.1), which in turn messes with the cli installation of php for that user.
          • For example you may want to serve the web pages using php 7.x, but allow any exec’s from the web content to use php 8.x, it will not, as it uses the version of php.ini that the symlink points to (in this case 7.x). To get around the problem delete the symlink.
        • This mechanism is used instead of just overriding the global php.ini with individual values like how cPanel does it.
        • This is definately geared more towards sysadmins and app developers.
        • This means, editing the CGI global php.ini files in `Webmin --> Tools --> PHP Configuration` is pointless as these php.ini files are just being used like Server Templates, a copy is made and that is used but then the copy is nver updated again by the system.
      • The Bad
        • As you role out new Virtual servers, their php.ini will become out of sync with the global and this is a bad way of managing servers for webhosting. I like to know what they are all set at and I can change them to be all the same.
        • The current setup will just have servers on different snapshots of the global php.ini at different times even if they are not touched.
    • Overview
      • Just use PHP-FPM
        • It allows one central php.ini that can be overridden by clients when required, if their permissions allow them.
        • sysadmins can push update 'disable_fuctions' quickly and easily to all clients on a particular PHP version.
        • PHP-FPM is much quicker that the other versions of PHP, and possible more secure.
Binary Locations
/usr/bin/php
/usr/bin/php7.4
/usr/bin/php8.3
/usr/bin/php-cgi
/usr/bin/php-cgi7.4
/usr/bin/php-cgi8.3
/usr/sbin/php-fpm7.4
/usr/sbin/php-fpm8.3
  • These are useful if you need to run ommand on specific PHP version or just get the relevant information
  • The system default PHP is just a symlink to an installed version of PHP, which you can change.
  • There is no default version of PHP-FPM
Misc
  • General
    • How to upgrade Virtualmin scripts when PHP version checks fail · the.Zedt - When things have been running for long enough various updates and configuration changes start adding up with leftovers bound to cause an issue sooner or later. With Virtualmin, one such issue is the system's inability to automatically update its scripts to newer versions based on the incorrect detection that an older PHP version is running on the server instead of the actual one.

Postfix (Email / MTA)

Dovecot (IMAP/POP3)

Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.

SpamAssassin

what I found - might move to sections below

  • Swap between Global and per user
    • You can use the 'Post-Install Wizard' or just alter the setting directly
    • Virtualmin --> Email Settings --> Spam and Virus Scanning --> SpamAssassin client program
  • Global
    • Webmin --> Servers --> SpamAssassin Mail Filter
    • Will read on the settings from /etc/spamassassin/local.cf
    • There is no per domain or per user filtering available
    • Uses the spamc to provide one client for SpamAssassin and is wjhy there is only one config.
  • Per Domain
    • When a domain is setup, a copy of /etc/spamassassin/local.cf is to made and then the copy is used as the global config for that domain.
    • This allows a per user (domain/Virtual Server Owner) and then a per user (Usermin / Email address)
  • Official
  • General
    • ....
  • Global (spamc) or Per domain
    • Spam and Anti-Virus Scanning – Virtualmin
      • Virtualmin allows you to enable spam and virus scan emails on a per-virtual-server basis, and to configure what happens to email classifies as spam or virus-laden.
    • spamassassin level per user - Virtualmin - Virtualmin Community
      • Are you asking how to make SpamAssassin work on a per-user basis?
        • Virtualmin --> Email Messages --> Spam and Virus Scanning --> SpamAssassin client program: spamassassin (Standalone program)
        • Once you do that, SpamAssassin will check for a config file in $HOME/.spamassassin/user_prefs each time it delivers an email.
      • it is possible to edit SpamAssassin settings on a per-user basis for anyone with a Virtualmin login
        • Virtualmin --> Mail Options --> SpamAssassin Configuration
        • This also assumes `spamassassin (Standalone program)` is selected
      • Jaime Said:
        • When a virtual server owner edits his spamassassin config, it actually updates files in /etc/webmin/virtual-server/spam . These get used as the global config when spamassassin is run as the user who is receiving email, and are combined with the user's personal config in ~/.spamassassin
        • The /etc/webmin/virtual-server/spam/$DOMAINID directory is initially populated with a copy of the global config, which the domain owner can then override.
    • How to add a spamassassin rule to block all mails that contain a certain word - Webmin - Virtualmin Community
      • Eric
        • I use spamc myself, as it just uses one running SpamAssassin service instance. Then, for each incoming email, a small spamc process is launched to communicate with it.
        • The other option launches a full SpamAssassin process for each incoming email, but has no resident SpamAssassin service.
        • The second option I think is best on servers with extremely low email traffic, which are also low on RAM. However, the second option also allows per-domain SpamAssassin settings, rather than global settings.
  • RBL / DNSBL
  • Filters and Rules
  • Training
    • Spamassassin Bayes DB - using SA-Learn, autolearn - Webmin - Virtualmin Community
      • I want to allow the users to train the spamassassin by themselfs. For this I created a Imap Folder, which gets scanned by SA-Learn by a cronjob. 
        sa-learn -u user@server.tld --spam /home/server/homes/user/Maildir/.spam/{cur,new} --progress
      • which learns the spam into the bayes db. The Spam is recognized correctly if i do a manual scan with: 
        spamassassin -D -p /home/server/homes/user/ -e < "$email" > /dev/null 2>&1
      • But still spam messages are reaching my inbox, which are scanned against a bayes db according to the headers, but it seems that spamassassin is not using the users DB.
      • Spamassassin is configured as “standalone” in the moment.
  • Diagnostics
    • EICAR Test File | Trend Micro - The European Institute for Computer Antivirus Research (EICAR) has developed a test virus to test your antivirus appliance. This script is an inert text file. The binary pattern is included in the virus pattern file from most antivirus vendors. The test virus is not a virus and does not contain any program code.
    • I keep getting spam - Virtualmin - Virtualmin Community
      • You need to look in the log to know what’s going on. SpamAssassin mostly works without any user involvement. It can be trained, but it includes a variety of rules by default.
        • Look in the journal for the postfix unit (journalctl -u postfix) to make sure mail is being passed to procmail-wrapper, and then check the procmail.log for whether it’s being processed through SpamAssassin.
        • Then look at the headers of a received mail to see what spam rating it has.
        • URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS
          • it's referring to the dns server you're using not being allowed to do an RBL request to the the RBL servers.
          • Most RBL servers use a "free for some" method, where as long as a given DNS server isn't doing too many requests, it's allowed. But for a dns server that is too busy, (eg: 8.8.8.8 is very busy), it will be blocked from doing RBL queries, since it no longer qualifies as the "Free for some" method, and would then fall under the category where payment is required to do that volume of RBL queries.
  • Spam Configuration Locations
    • Webmin Global:
      • Webmin --> Servers --> SpamAssassin Mail Filter
    • Virtualmin Global
      • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Spam filtering options
      • Virtualmin --> Email Settings --> Spam and Virus Scanning --> Maximum message size to process: unlimited
    • Virtual Server:
      • Virtualmin --> Mail Options --> Spam and Virus Delivery
      • Virtualmin --> Mail Options --> SpamAssassin Configuration
    • Usermin
      • Usermin --> Mail --> SpamAssassin Mail Filter
  • Troubleshooting
    • Some settings in Webmin, Virtualmin and Usermin do not appear to be functioning as (I) expected - Usermin - Virtualmin Community
      • Summary of issues
        • Default settings for the SpamAssassin ‘required_score’ do not display changes from current overriding settings
        • Changing the accessibility of the SpamAssassin module in Usermin only hides access to the tool but does not change any previously saved configuration which could result in unexpected behaviours for users.
          User prefs file needs to be deleted or possibly renamed if it might need to be reused if access is granted later.
        • The Spam and Virus Scanning dialog under Virtualmin contains features that do not actually pertain to Spam specifically but instead to Filtering tools which can also result in unexpected behaviours and confusion for users.
      • First Issue
        • SpamAssassin reads its configuration from many places in the following order: 
          1. /usr/share/spamassassin
2. /etc/spamassassin
3. /etc/mail/spamassassin (which is a symlink to the previous directory)
4. /etc/webmin/virtual-server/spam/[vm_id] (some files are symlinks, but virtualmin.cf is editable in the UI)
5. /home/[domain]/homes/[mailboxes]/.spamassassin/user_prefs
        • Actually you set the score value in different places this is the reason you get a different behavior. My advice is to set the values for a virtual server in virtualmin.cf, for all mailboxes or per mailbox in user_prefs. Please do your own test by changing the scores in the local.cf, virtualmin.cf, user_prefs files, one by one, and after a change send an email to yourself. Check the header for score number to understand what config file was loaded by SA.
      • Second Issue
        • The option Allow mailbox users to create mail filters has nothing to do with SpamAssassin. Initially I was misled because it is in the SpamAssassin/ClamAV section. However, this option allows you to filter messages using Procmail. Basically, you create a .procmail file in the mailbox and filter the messages based on certain conditions. Unfortunately, this feature is very little addressed, although it has been in Virtualmin for a long time. There aren’t even any examples. I think the option should be changed and the word Procmail introduced, to be clearer. I know the tooltip is there for a purpose, but a word put there can solve the confusion even for an advanced user like me.

Razor Spam Detector (SPAM)

DNS

  • Reset the DNS zone (There are couple of ways to reset the DNS zone)
    1. Virtualmin --> Limits and Validation --> Validate Virtual Servers --> Reset Features
      • Virtualserver to reset: Select the relevant Virtual Server
      • Features to rest: DNS domain
    2. Command Line 
      virtualmin reset-feature --domain example.com --dns
    3. Virtualmin --> DNS Settings --> DNS Records --> Reset DNS Zone
      • This button has not been added yet, but should be shortly.
  • Why is there a 5 added at the begining of the MX record.
    • Virtualmin --> DNS Settings --> DNS Records
    • The 5 is supposed to be there, it represents the Mail server priority
  • After one week my DNS still has not fully propagated, why?
  • What DNSSEC algorithm to use?
    • = Algorithm 13 (ECDSA Curve P-256 with SHA-256) (ECDSAP256SHA256)
    • RFC 8624 - Algorithm Implementation Requirements and Usage Guidance for DNSSEC
      • The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of nonexistence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes RFC 6944.
      • RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although the zones deploying it are recommended to switch to ECDSAP256SHA256 as there is an industry-wide trend to move to elliptic curve cryptography. RSASHA1 does not support NSEC3. RSASHA1-NSEC3-SHA1 can be used with or without NSEC3.
      • Has a chart showing what to use and why.
    • DNSSEC specification recommends not signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1) · Issue #1953 · mail-in-a-box/mailinabox · GitHub
      • Cloudflare DNSSEC is now exclusively algorithm 13.
      • Algorithm 13 (ECDSA Curve P-256 with SHA-256) (ECDSAP256SHA256)
      • Has a chart and is a discussion about what algorithm to use.
  • No delegation NS records were detected in the parent zone (DNSSEC) 
    quantumwarp.com to wordpress.quantumwarp.com: No delegation NS records were detected in the parent zone (quantumwarp.com). This results in an NXDOMAIN response to a DS query (for DNSSEC), even if the parent servers are authoritative for the child. (31.125.252.137, UDP_-_EDNS0_4096_D_KN)
    • Notes
      • This error can be frustrating but easy to fix.
      • You do not need to have different Nameservers for each domain and sub-domain in the chain.
      • You do not need to have all of youer domains in the same zone file, but you can do if you want.
      • If there is a break in the DNSSEC chain then you will always get a NXDOMAIN response.
    • Causes
      1. The required DS and NS records in the parent domain are missing or badly formatted.
      2. If all the records are set correctly, then it is just a case of waiting because some of these records need updating at the registrar. Virtualmin's default TTL is 3600s (1 hour). For me after making the changes it took about 2 hours for my domains to become resolvable. Usually it will take between a couple of hours and in extreme cases 48 hours, but any more means you ahve an issue in your DNSSEC chain and that will need fixing.
    • Links
      • linux - Error adding DS records for my subdomain to the zone file of parent domain - using bind - Server Fault
        • DS records are only used as part of delegations between zones, ie side by side with the NS records that define such a delegation.
        • If you have for example the zone example.com and just add records for foo.example.com or foo.bar.example.com to this zone that is already covered as it is part of the same zone.
        • However, if you delegate eg sub.example.com so that this is a separate zone, you would have BOTH NS and DS records for sub.example.com in the example.com zone.
        • I'm not sure which of the cases above this question describes, but either you are missing the NS records for the delegation of the new zone or you are trying to add superfluous DS records "within" a zone.
    • DNSSEC Tools
      • DNSViz | A DNS visualization tool - DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
      • Documentation | DNSVizl
      • DNSSEC Guide : Common Problems | The DNS Institute - DNS tools, DNS documentation, DNS consulting, DNS analysis.
      • DNSSEC Debugger - The DNSSEC Debugger from VeriSign Labs is an on-line tool to assist with diagnosing problems with DNSSEC-signed names and zones.

Cron / Cronjobs

These are very useful for automating tasks

  • How to setup a cron job – Virtualmin - This tutorial covers how to setup a Cron job. Cron is a service for executing scheduled commands.
  • Located at
    • (System) Webmin --> System --> Scheduled Cron Jobs
    • (User) Virtualmin --> Webmin Modules --> Scheduled Cron Jobs

MariaDB (Database)

General
  • Misc
  • Users cannot edit databases
    • This is usually caused because the 'Account Plan' used for the user was not configured with the correct permissions in the first place.
    • Fixes
      • Make sure the domain owner has the ability to edit databases and change as appropriate
        • Virtualmin --> Manage Virtual Server --> Edit Owner Limits --> Allowed capabilities and features --> Can manage databases
      • You can try swapping the 'Account Plan' to another and then back again after you have changed the 'Account Plan' permissions.
      • Make sure the database feature is enabled
        • Virtualmin --> System Settings -> Features and Plugins
  • How do i stop a single database being created during creating a virtual server?
    • System Settings -> Server Templates -> Template -> MariaDB Database --> Create database as well as login: No
  • Move a database between accounts
    1. Virtualmin (current owner) --> Edit Databases --> 'the database' --> Disassociate With Server
    2. Virtualmin (new owner) --> Edit Databases --> Import Database:
  • Workaround for ${PARENT}_ not working,
    • Create the database in the top-level server and then move the database to the correct sub-server.
Creating SQL Databases with independant credentials on a single Virtual Server

You do not want to use your Virtual Server owner's username and password for your websites, this is security risk.

There are 2 ways to create a database manually in virtualmin.

  1. Virtualmin --> Edit Databases --> Create a new database
    • When you create a database here, the database will belong to the Virtual Server owner, which is a good thing.
    • The Virtual Server owner's credentials will always give full access on these databases.
    • You should always use this option to create your databases so they are always owned by your Virtual Server owner's account and will ensure they are backed up with the rest of the account's files.
  2. Webmin --> Servers --> MariaDB Database Server --> Create a new database
    • When you create a database here, the database will belong to whoever you set it to.
    • Make sure you set it to the right owner so it is backed up with their files when an account backup is triggered.

There are a couple of different ways to add a additional SQL users to these databases

  1. Virtualmin --> Edit Users --> (Add a user to this server | Add a website FTP access user) --> Other user permissions --> Allow access to databases:
    • Creating a user here will allow you to configure an access  with a Virtualmin user, but will create other associated services along with it such as an email address, so is not ideal.
  2. Webmin (workaround)
    • Webmin --> Servers --> MariaDB Database Server --> User Permissions --> Create new user
      • This will give you full control over, Username, Password and what permissions this user can have because it is a native MariaDB SQL user.
      • Username: example_prestashop
      • Password: ********
      • Hosts: localhost
      • Permissions: none
        • These will be set below for the specified database.
        • These are global permissions. Only root and soime system accounts should have these.
      • Igore the rest of the settings
    • Webmin --> Servers --> MariaDB Database Server --> Database Permissions --> Create a new database permissions
      • This will allow you to connect your user to your database
      • Databases --> Selected: example_database
      • Username: example_prestashop
      • Hosts: localhost
      • Permissions: select all (or just those you require)

Notes

  • I have submitted a feature request to impreve this situation
  • 'Keep MariaDB and administration usernames in sync: Yes' = Is a good thing, this will allow you to login with your Virtual Servers username and the 'MariaDB database' password to phpMyAdmin and see all of your tables just like cPanel.
    • Virtualmin --> Edit databases --> Passwords --> MariaDB database
  • None of the Virtualmin options are a good choice for creating additional SQL users. The Webmin workaround will work but is not suitable for large numbers of clients, or for clients to use.
  • Is it possible to have a MySQL database owned by multiple Virtualmin owners? - #2 by leecf - Virtualmin - Virtualmin Community
    • You can also create Webmin users that have access any given database. Webmin’s MySQL module is incredibly powerful and flexible and has great ACLs.
    • To be clear: Database users and Webmin users are separate entities, but you can use either or both to provide access to any database, depending on what you’re trying to accomplish.
    • If you want web apps on different domains to share a database, you can create one or more MySQL database users in the MySQL module.
    • If you want to allow a user to manage another users databases in Webmin, you can create a new Webmin user just for that purpose. (Virtualmin users are kinda locked down to prevent their ACLs from being changed for safety…so we recommend a whole new user for sharing databases, but I think it’d be possible to make a database accessible to multiple Virtualmin domain owner users, if you click through the warning about it being a Virtualmin user).
    • MySQL Database Server | Webmin - On this page the MySQL database and the Webmin module managing it are explained, and the steps to follow to create databases, tables and users are listed.
  • How to set permissions for mysql - certain DBs ? - Help! (Home for newbies) - Virtualmin Community
    • All of this can be done using the Webmin MySQL module, though doing so does take it out of control of Virtualmin to some degree (Virtualmin loosely enforces a “virtual server --> databases” type of ownership hierarchy where you can have many databases, but each database has only one owner and it’s a virtual server owner account).
    • That said, I make use of the Webmin MySQL module extensively on Virtualmin.com to allow the existence of our development domains, independent access by our license manager, etc., and it’s not particularly dangerous to do so (it just means that some of the relationships and permissions are not obvious in the Virtualmin interface, since it doesn’t cover things that deeply).
    • So, to grant access to a database browse to Webmin:Servers:MySQL Database Server, and click on "Database Permissions". Here you can click "Create new database permissions." and build up fine-grained (or unlimited) access rules for any user to any database.

Software Package Management

  • Software Package Updates and Software Packages are different
    1. Software Package Update
      • Webmin --> System --> Software Package Update
      • This handles your standard repository tasks as if your were using apt-get on the command line.
      • This is what you would class as the package manager if anyone asks.
      • Software Package Updates | Webmin
        • About The Software Package Updates module shows available updates and provides for actual updating.
        • It cannot remove packages.
    2. Software Packages
      • Webmin --> System --> Software Packages
      • This is only concerned with local operations such as:
        • Manually installing a package.
        • Automatically upgrading the install packages.
        • Listing installed packages.
        • Not 100% of this feature's role.
      • Software Packages | Webmin
        • This chapter covers the installation and management of software on your system using packages.
        • It also covers the differences between the various Unix package formats, such as RPM, DPKG and Solaris.
        • Introduction to packages All Linux systems use some kind of software packaging system to simplify the process of installing and removing programs.
        • A package is a collection of commands, configuration files, man pages, shared libraries and other files that are associated with a single program like Apache Webserver or Postfix Mail Server, combined into a single package file.
        • The Software Packages module can be used to install/remove other packages.
  • PostgreSQL
    • Check to see if PostgreSQL is installed
    • Uninstall PostgreSQL
    • Disable PostgreSQL
      • Uninstalling PostgreSQL? - Help! (Home for newbies) - Virtualmin Community
        1. first make sure Virtualmin isn’t using it
          • Virtualmin --> System Settings --> Features and Plugins --> "PostgreSQL database": uncheck
        2. Next, you can prevent Postgres from loading on startup by going into
          • Webmin --> System --> Bootup and Shutdown --> Postgresql --> Start at boot: No
            • This might not be present if the service is not installed or has an init script.
    • PostgreSQL removed from the default installation
      • Postgresql won't enable in virtualmin - Help! (Home for newbies) - Virtualmin Community
        • Of course it’ll let you install it! It’s just a regular package from your OS vendor. Once installed, you can enable it in Virtualmin.
        • We removed pg from the default installation because so few people use it (I prefer it slightly, but there’s not much we can do to change the vastly larger preference for MySQL/Mariadb among the projects in the Install Scripts and in the web dev community in general).
        • Use your system package manager to install postgresql and postgresql-server packages (probably, you haven’t mentioned your distro and version, but I think that’s the right name on all distros we support). You can use the Webmin Software Packages module to do it or do it from the command line. You’ll also probably want the php pg driver packages, or the relevant drivers for the language(s) you’ll be developing with.
        • Once that’s done, you can use: 
          # virtualmin config-system PostgreSQL
        • To do some minor initial configuration (this may not be necessary, depending on your distro/version). Then you can either enable postgresql-server (systemctl enable postgresql-server) or re-run the Virtualmin post installation wizard to enable it.
      • Virtualmin 6.2.0 - ubuntu 20.04 PostgreSql - Virtualmin - Virtualmin Community
        • Q: The latest version of virtualmin apparently does not install the necessary Postgres packages, since the moment to ask if mysql is installed and also PostgreSql also advances installing Mysql, if PostgreSql is also selected it sends an error similar to when Huge Mysql is selected
        • A:
          • Try running 
            apt-get install postgresql postgresql-client libdbd-pg-perl libpg-perl
          • PostgreSQL is not installed by default on Ubuntu 18.04 or 20.04. It’s listed as Suggests: in the package, but most people don’t have suggested packages enabled. I think I wanted to reduce the initial install size and complexity, and very few of our users use PostgreSQL (despite it being superior to MySQL/Mariadb in some regards), so it needs to be installed if you want to use PostgreSQL.
          • It was an intentional change to remove it from the default install, but you’re not clear about what problem you’re seeing in the setup wizard? Is it offering PostgreSQL options? It shouldn’t if the postgresql packages aren’t installed…that’d be a bug, but not one I’ve seen.
  • Installing REDIS
    • Redis - official way of installing and configuring in Virtualmin - Virtualmin - Virtualmin Community
      • There is no official way. Use whatever is appropriate for your distro and version. Your operating system is still the same, Virtualmin is just managing some parts of it.
      • There is no Webmin or Virtualmin module for Redis that I know of (certainly none from us, though maybe someone else has implemented one, but I don’t know of one); it hasn’t come up much. One could certainly build one without a lot of work.
      • Virtualmin is not your OS. Virtualmin only cares about the packages it manages, and the packages it manages are installed using your operating system’s package manager, and using the OS standard repositories whenever possible. Virtualmin itself is installed using your operating system package manager (apt-get/dpkg on Ubuntu).
      • Q: Now, if I start installing custom php modules or even building them from source, how will it affect Virtualmin?
      • A:
        • As long as you don’t break PHP, it doesn’t matter. We don’t even use PHP. We just configure it for you, we don’t depend on it in any way.
        • If you can install a package using the OS package manager and standard repositories you should do so.
        • Third party repositories should be used with caution, only when necessary, and only after testing.
        • redis and php-redis packages are available in the Ubuntu repositories, I’d recommend you use those. Installing from source should be a last resort (and, I never allow from-source installs on my production servers). But, that has nothing to do with Virtualmin.
        • That’s me offering you advice based on my decades of systems management. Virtualmin don’t care about Redis.
      • Many thanks, it is clearer now. Key takeaways:
        • If you can install a package using the OS package manager and standard repositories you should do so.
        • Installing from source should be a last resort
        • redis is Redis, php-redis is PHP bindings for Redis. They have different and unconnected versions.
      • You need to install these packages:
        • redis
        • php-redis
    • Complete Guide to Redis PHP - GeeksforGeeks - A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.
  • Installing Memcache
  • Installing OPCache
  • Install ImageMagick
  • Install GD module (Software Package Updates)
    • Webmin --> System --> Software Package Updates
    • States to display: Only new
    • Find packages matching:
      • php-gd
        • This will install GD for the system default PHP version.
      • php8.3-gd
        • This will install for PHP version 8.3
  • Install GD module (manually)
  • How to use the 'Software Package Updates' module to install PHP extensions
    • Webmin --> System --> Software Package Updates --> Package Updates --> Only new
    • Notes
      • Each version of PHP will needs it's own version of the extensions installing. Be aware that some extensions might not be available on a particular version of PHP.
      • You use this module to search for the packages you want, tick them and then install them which is very straight forward.
      • All of this can be done with the command prompt.
      • If you cannot see a package, it is probably already installed.
      • The trick to installing all of the packages you want is how you search for them.
      • You cannot use wildcards in this module or at least not that I have got to work.
      • Your OS will have a default version of PHP installed and if you do not specify a PHP version the OS will convert the generic term to the OS specific version of PHP before makeing the request.
      • The search does a %TERM% style search.
    • Search terms and their outcomes
      • php-curl
        • This will find the php-curl package only as it is a very specific search term.
        • My OS default PHP is 8.2 so it will install the php8.2-curl package.
        • Defaul OS PHP Packages (PHP 8.2)
      • php8.1-curl
        • This will find the php8.1-curl package only as it is a very specific search term.
      • -curl
        • This will find all of the curl packages, and more.
      • curl
        • This will find all of the curl packages, and more but is not as specific as the command above.

Software Package Configuration and Usage

phpMyAdmin

Security

General

  • You can restrict access to Webmin and Usermin by IP or hostnames.
  • You can restrict access to Webmin and Usermin with root account (or other account) by using IP or hostnames.
  • Settings for best security - Help! (Home for newbies) - Virtualmin Community
    • For starters, to get an inherently secure system, it’s recommended to use a Grade-A supported OS, installing no packages besides SSH, and using the Virtualmin installer script to get your web hosting software in place. Virtualmin configures the services, as securely as you can get without being an employee at one of the aforementioned firms.
    • Most security issues come from buggy or incorrectly configured web software, and not from the services itself.
    • My suggestion would be: First, turn off “root login with password” in SSH. Set it to “with RSA key only”. That will prevent brute force attacks on the root account, because no brute force attack in this world can work out an RSA key (of sufficient length).
    • In Virtualmin, you’d still use the root user and their regular password (make it securely long). Brute-force attacks on Webmin are very rare, since it’s by far not as widespread as SSH.
    • If you want extra security, set up a VPN (OpenVPN suggested) and open port 22 and 10000 only for VPN connections.
    • For optimum security it is always a good idea to go through some security/hardening check lists.
    • A few items which rank high on my list of security measures include, “firewall hardening”, “disabling FTP (and other services not used) in favour of SFTP”, “disabling password authentication for root”, and installing a good “intrusion detection system”.
    • We have been using OSSEC for our primary OS-level intrusion detection system for a few years now, and it has saved us sleepless nights because of it’s highly customizable ruleset, and the proactive measures it takes against hackers and other malicious activity. OSSEC also if configured will send out an email to you including all items which may be a security threat, or that you should know about including login attempts, file changes, etc. When you consider what OSSEC and similar software does, it makes administrating lots of machines less of a headache, and increases uptime by pointing out threats, and taking proactive measures.
    • CSF/LFD: Watches, among lots of other things, logs for login failures and blocks the offending IP via iptables. Also watches for modified system files, can detect port floods, use blacklists to block known hacker nets, limit connection count per source IP, and other stuff.
    • LOGCHECK: Scan configurable log files and reports all lines it doesn’t know (configurable via regular expressions, comes with a pre-made set of rules) via email
    • LMD: Linux Malware Detect, a malware scanner specifically for bad web software. Uses the ClamAV engine for scanning.
    • To mitigate the brute force of Virtualmin using the root user, you could make sure you tighten the host blocking options:
      • Webmin --> Webmin Configuration --> Authentication
      • I would leave “Block users with more than” and “Lock users with failed logins” otherwise you might get locked out of root access as I am not aware of any white listing option. Perhaps turn up the time a host is blocked for invalid login attempts? You could also change the port that is used to access Virtualmin but that isn’t really security (in my opinion, security through obscurity doesn’t do much except slow down a determined attacker).
    • Lawk - This is what I do after a clean virtualmin install on a minimal OS install:
      • Disable root login by SSH, instead I use a regular user to login and then “su” for root. I guess you could also use keys.
      • Enable the iptables firewall in webmin to only allow the hosting ports.
      • Install & configure fail2ban, enable it not only for SSH, but PAM, postfix, proftpd, dovecot, perhaps others, in more recent versions there will be a Webmin jail too so you can use that out of the box.
      • Create a Virtual Server with a domain and make sure SSL is enabled as a feature.
      • Get the Let’s Crypt Certificates in “manage SSl” through virtualmin server management. This has the benefit of enabling SSL in those applications…
      • BUT I always change the protocols and ciphers to something along the lines of: https://cipherli.st/
      • So that only TLS 1.2 is used.
      • You can then add HSTS to Apache. (careful though that auto renewal works for the certs and that you are not using self-signed).
      • You then get the A+ rating on Qualys.
      • Then you can always run stuff like Nessus & Netsparker to scan for anything you might have missed of known vulnerabilities.
      • etsparker can scan your webapps for problems in php and so on.
  • SSH Server | Webmin - A worthy read.
  • Mod_security and/or firewall for new setup - Virtualmin - Virtualmin Community
    1. configure mail rate limiting to limit damage that can be done by spammers who gain unauthorised access to user accounts
    2. configure fail2ban to thwart brute force attacks
    3. use only php-fpm as execution mode on all virtual servers to keep the system isolated from virtual servers that will be compromised
  • Suggestions of a New Noob - Blue Skies - Virtualmin Community
    • mod_security with recent CRS rules provide functionality in a similar vein to mod_evasive. I’ve opted to use those on my deployments, rather than using both tools.
    • This is the best explanation for that I could find with a quick search: apache - Apache2 mod_evasive vs mod_security with OWASP crs when protecting against DDOS? - Stack Overflow
    • There are probably better docs for using CRS rules, though.
    • At this time I don’t see any compelling reason to use both, and one could create fail2ban rules to watch for mod_security actions, too, if you wanted to make the layer 7 blocking decisions at layer 4 instead (which could likely provide a small benefit in severe DDoS situations).
  • IDS (Intrusion Detection System) - #4 by happycoding - General Discussion - Virtualmin Community
    • Intrusion Detection System (IDS):
      • IDS monitors and analyzes network or system activities for signs of malicious behavior or security policy violations.
      • It operates in a detection-only mode, meaning it identifies and alerts about potential threats but does not take direct action to prevent them.
      • IDS can be network-based or host-based, depending on whether it monitors network traffic or activities on individual systems.
    • Intrusion Prevention System (IPS):
      • IPS, on the other hand, not only detects malicious activities but also takes proactive measures to prevent them.
      • It can block or prevent malicious activities in real-time by actively intervening in the network or system processes.
      • Fail2Ban falls into this category because it actively responds to detected malicious behavior by blocking IP addresses, thereby preventing further unauthorized access.
    • Fail2ban:
      • Fail2Ban is specifically designed to protect against unauthorized access attempts by monitoring log files for patterns indicative of a potential security threat, such as repeated failed login attempts.
      • When it detects such patterns, it can automatically update firewall rules to block the source IP addresses of the potential attackers.
      • While Fail2Ban is not a full-fledged IDS, it provides a level of intrusion prevention by responding to specific events that may indicate malicious intent.

WAF / Firewalls / IDS / IPS

General
  • fail2ban vs CSF
    • My Thoughts
      Use the default Fail2Ban and FirewallD setup unless you know why you want CSF.
      • FirewallD + Fail2Ban are good to go straight out of the box and will cover most peoples needs. If you want more options and control you can use CSF+LFD.
      • FirewallD and Fail2Ban modules are made by Webmin so will get updated by the team, whereas CSF is controlled by th folks at ConfigServer.
      • FirewallD is GUI to iptables, configured with multiple zones and with a simple GUI makes this a great choice. It does what it says on the tin.
      • Fail2Ban is used in conjuction with FirewallD and is a well tested IDS and brute force login blocker.
      • ConfigServer Security Firewall has a firewall and a login daemon (LFD) to provide a great level of security and options. This software requires more setup and management but you can get more out of it.
      • Comodo WAF is a set of ModSec rules (OWASP) using the mod_modsec apache module to provide a deeper level of protection. This installtion can be tricky. The virtualmin team are hoping to brinf ModSec to Virtualmin Pro 8.
    • ConfigServer Security & Firewall (csf) - Third Party News - Virtualmin Community
      • Q:
        • Has anyone used ConfigServer Security & Firewall (CSF) with Virtualmin. It was recommended to me and on its website it says it has a module for Webmin.
        • Is it worth using? What are the pros and cons? Is it more or less effective than the controls in VM? Would be grateful for +ve and -ve experiences.
      • A (Ilia):
        • ConfigServer Security & Firewall (csf) has a great support with Virtualmin and default Authentic Theme, simply because I was personally using it.
        • CSF is a great piece of software but it depends on your needs.
        • Nevertheless, standard Virtualmin setup with FirewallD + fail2ban does all the job pretty well and is more than enough usually.
        • Yes, neither firewalld nor fail2ban can be used alongside with CSF. CSF has its own implementation of login failure daemon called lfd.
        • Also, you shouldn’t worry about firewalld and fail2ban, as CSF installer would take care disabling them for you.
    • Fail2Ban versus CSF? | vpsBoard
      • Q: Which one do you think is better? I have lot of experience with CSF on cpanel servers but not on a server without it. I've never used fail2ban before. Which one would be better for a vps that has no control panel?
      • A:
        • I would say that the two have different applications: One (CSF) is a firewall frontend with Intrusion Detection Service (LFD) and the other is a plain Intrusion Detection Service (fail2ban). If you do not need the firewall part of CSF, then I would go with fail2ban
        • Base functionality for the average user, fail2ban and LFD will be no noticeable difference. Of course, CSF is a nice easy way to fine tune iptables for the average user and for that I highly recommend it.
    • which is the best protection? fail2ban or CSF - Vesta Control Panel - Forum
      • Two different purposes. CSF is Firewall and fail2ban is a plain Intrusion Detection Service.
      • CSF is actually a firewall which includes a brute force protection daemon, very similar to fail2ban. I think this is what prompted the original poster's question.
      • From the website - Login Failure Daemon (lfd)
        • To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.
    • My firewalld isn't working - what is the correct FirewallBackend? Please check yours for me? - #22 by jotst - Help! (Home for newbies) - Virtualmin Community
      • Illia
        • FirewallD is just a front end for iptables/nftables. It does nothing on its own.
      • MrPete:
        • Here’s my new understanding of the reality:
          • FirewallD (and firewall-cmd) is not a firewall at all. It is a UI for a backend firewall, either the older iptables or newer nftables packet filters, and other associated bits.
          • iptables refers to two entirely separate things (managed by the netfilter.org 2 project)
            • a kernel packet filtering technology (being replaced by the nftables packet filter)
            • the iptables firewall definition command utility (nft is the equivalent for nftables architecture)
          • Because the actual packet filters are built into the kernel, there’s no visible iptables or nftables process.
        • So in simple terms:
          • FirewallD is a front end that currently uses iptables as its backend.
      • Joe
        • You’re right, the Webmin Firewalld module is pretty limited (and Firewalld is kinda confusing, I have to read the docs every time I touch anything…I wish it weren’t the best option, but it pretty much is, at least for our needs and our users most common use cases).
      • Joe
        • There is very good support for CSF in Virtualmin/Webmin and Authentic Theme. But, I don’t like that sort of firewall and don’t recommend it on servers. It’s very easy to get bogged down in the minutiae of complicated rules that don’t make sense on a web server. But, Ilia likes CSF, so there’s good support for it.
        • But, Ilia has been doing a lot of work on the Firewalld module, so it’s going to get some upgrades in the next Webmin release.
      • MrPete
        • Q:
          • CSF Firewall comes with a feature called Login Failure Blocking if you do not want to use permanent blocking.
        • A:
          • Read what you quoted about CSF Login Failure Blocking: it’s either for a specific time frame, or permanent.
          • Fail2Ban is far more flexible and robust:
            • It can monitor ANY type of error found in ANY log file
            • The block can be set for ANY number of failures
            • The initial time can be ANY amount of time
          • And, in the upcoming 0.11 release (available “out there” but coming soon to Virtualmin), the block can grow exponentially with each failure, which is very very nice.
          • I had a tiny server suffering from a couple dozen attacks per second. Turned on exponential-growth blocking (when really bad, I let it grow to a one-month block :wink: ) and everything worked Just Fine.
    • Firewall or other security - Help! (Home for newbies) - Virtualmin Community
      • So, you’ve got a couple of obvious options. One would be to setup iptables (more flexible and, I think, more useful, on servers, but also more complicated), the other would be to start firewalld. Webmin has a module for either; there’s also a CSF module for Webmin, but that may be overkill for your needs. I usually use iptables, because I know it really well, and it is flexible and powerful enough for everything I need.
      • Firewalld is the new management service used, by default, in CentOS 7 and recent versions of Fedora. It is integrated with systemd, which allows it to dynamically apply rules based on what’s running, and the network your system is connected to (e.g. if you have a wired network at work and a wifi network at home, the firewall can act differently in either case). But, for servers, the additional features are pretty much extraneous and may even get in the way. For a server, you mostly just want to say, “Open these ports, and leave them open forever, because I have services running on them.”
      • I’m surprised firewalld isn’t already running; I though it was on by default on a CentOS 7 system. The fact that it’s not running might mean it didn’t get new rules added when Virtualmin was installed. Our installation detects which firewall you have (whether iptables or firewalld on CentOS) and inserts the rules in needs for all of the services it manages. You can, of course, customize those rules at any time in the Linux Firewall or Firewalld module.
  • Firewall commands
    • List all firewall rules 
      firewall-cmd --direct --get-all-rules
    • What is the output of the following commands? Do you have iptables package installed? 
      apt list --installed |grep -i tables
which iptables
whereis iptables
ModSecurity (ModSec) (WAF)
  • How to Configure ModSecurity on Apache | Linode Docs - This guide will show how to set up ModSecurity with the default rules. Advanced configurations are left as a challenge for the reader.
  • Mod_security and/or firewall for new setup - Virtualmin - Virtualmin Community
    • mod_security is not related to network configuration. But, there is not mod_security GUI in Virtualmin.
    • Nothing stops you from enabling it, though. It’s a one-time thing; just install the package and turn it on (and configure it to use the rule sets you want to use, like the OWASP rules). mod_security is of marginal utility in a system that is well-maintained, but can be useful if you have old apps. mod_security is almost entirely a reactive solution; the rules are mostly based on past attacks, which have usually already been fixed in the software the attacks target. But, since most people aren’t very good at staying up to date, I’ve come around to thinking mod_security is pretty useful, and we’ll be adding it as a Pro feature in Virtualmin 8.
    • Yeah, I think it’s worth being clear that mod_security is what is often referred to as a “web application firewall”, but it does not operate at the same layer of the network stack as a traditional firewall. You should not group the two concepts together when discussing what you need to address a given threat model, and there is almost no overlap in what a network firewall can prevent vs what a web application firewall can prevent.
    • Web application firewalls (like mod_security) are also of limited utility in an up-to-date well-maintained system.
iptables
  • There is a module for naked iptables/nftables
    • Webmin --> Un-used Modules --> Linux Firewall
  • iptables is just a command-line interface to the packet filtering functionality in netfilter
  • iptables is utilised by many frontends that just configure the iptables to rules to do their bidding.
  • Iptables Tutorial - Beginners Guide to Linux Firewall | Hostinger - Iptables is a powerful firewall tool for Linux. Read our Iptables tutorial and learn everything you need to know to secure your server.
  • Iptables Tutorial: Ultimate Guide to Linux Firewall - Learn all about iptables and Linux firewalls in this ultimate tutorial. Configure iptables and secure your server workloads before a cyber attack strikes.
  • An In-Depth Guide to iptables, the Linux Firewall - Boolean World - The Linux kernel comes with a packet filtering framework named netfilter. It allows you to allow, drop and modify traffic leaving in and out of a system. A tool, iptables builds upon this functionality to provide a powerful firewall, which you can configure by adding rules. In addition, other programs such as fail2ban also use iptables to block attackers. In this article, we’re going to take a look at how iptables works. We’re also going to look at a few examples, which will help you write your own rules.
  • How the Iptables Firewall Works | DigitalOcean - The iptables firewall is a good way to protect your server from unwanted traffic from the internet. in this guide, you will review how Iptables works.
  • A Deep Dive into Iptables and Netfilter Architecture | DigitalOcean - Firewalls are an important tool that can be configured to protect your servers and infrastructure. In the Linux ecosystem, iptables is a widely used firewall tool that works with the kernel’s netfilter packet filtering framework.
  • networking - How can I use iptables on centos 7? - Stack Overflow
nftables
  • There is a module for naked iptables/nftables
    • Webmin --> Un-used Modules --> Linux Firewall
  • Debian 10 Firewalld vs iptables thrashing about - Help! (Home for newbies) - Virtualmin Community
    • Instructions on how to uise nftables instead of iptables. This is a couple of years old so the transition might already of happend, for me it has.
    • linux - Check whether iptables or nftables are in use - Unix & Linux Stack Exchange
    • Why nftables instead of iptables?
      • Starting with Debian 10, iptables is officially deprecated with nftables. With Debian 11 the deprecated goes even further. iptables is now the default on Debian 11. Source at Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld - Phoronix
      • Starting in August 2020, nftables is included into the Linux Kernel. Which result in potential significant increase in both performance & security.
      • Fail2Ban on Debian 10 has very good support for nftables. With lots of built-in configurations.
    • Notes
      • For those not familiar with nftables. It is the new framework by the Netfilter Project. Which allows you to perform packet filtering (firewalling), NAT, mangling and packet classification.
      • firewalld is a front end management tool for nftables. Think of nftables as the engine. And firewalld as your dashboard.
      • Firewalld “owns” the firewall on the system, and all management should be done using the firewalld commands or the Webmin firewalld module. Attribution to Joe at https://forum.virtualmin.com/t/firewall-iptables-and-firewalld-conflict/58278/5
      • For those not familiar with Backport. It means you get more recent version of packages for Debian.
      • nftables replaces the old popular iptables, ip6tables, arptables and ebtables
  • How to Use nftables | Linode Docs - In this guide you will learn about what nftables is and how it differs from iptables, plus you""ll get a look at how to use and create tables, rules, and chains.
  • nftables - Debian Wiki - nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.
FirewallD
  • Webmin --> Networking --> FirewallD
  • FirewallD is just a front end for iptables/nftables. It does nothing on its own.
  • Cannot delete a rule in FirewallD
    • Webmin --> Networking --> FirewallD --> load any zone --> List FirewallD Rules
    • You see a rule that you don't recognise or want to remove, but there is no option to select or delete. This rule is probably visible in all zones.
    • This 'Direct' rule is created by Fail2Ban and cannot be deleted here.
    • This behaviour is not a bug.
    • The rule can be found here: Webmin --> Networking --> Fail2Ban Instrusion Detector --> Jails Status
    • You can clear the block here or it will probably clear itself in 15 minutes.
Fail2ban
Comodo WAF (mod_security with Comodo rule set)
ConfigServer Security & Firewall (CSF + LFD)
cPGuard
Naxsi WAF

Malware Scanners

ClamAV
  • Be able to scan home directories with ClamAV (clamscan)
  • Webmin Module
  • General
    • Is it safe to update ClamAV manually? - General Discussion - Virtualmin Community
      • In my experience, things get messy. ClamAV packaging has been a wild west situation for almost its entire existence, with the ClamAV folks providing guidance for packagers that is unreasonable and example configs that don’t work, and every packager that comes along tries to make sense of it and ends up solving the problems differently and in incompatible ways (though the Debian/Ubuntu packages have been somewhat more stable than the EPEL/Fedora packages, which have had at least three or four incompatible variations, which were also incompatible with a couple of third party packagers).
      • If I were you, and if I really felt compelled to upgrade, I would test on a development server before trying it on a production system, if you really depend on ClamAV working reliably, because I’d bet on breakage.
    • Regarding Antivirus - #5 by Stegan - Virtualmin - Virtualmin Community
      • Our default AV in a Virtualmin installation is ClamAV, and we provide GUI support for it. It is quite resource-intensive, but it does work reliably and is reasonably effective at detecting viruses and malware.
      • Antivirus (any antivirus, not just ClamAV) generally can’t protect servers from most malicious attacks. The kinds of malicious attacks that servers face are rarely mitigated by antivirus software. That’s just not the vector by which servers are usually compromised.
      • Antivirus is among the least effective ways to spend your time when trying to secure a server. I won’t say it is completely useless, but it’s quite far down the list of things to do to secure a server.
      • But, you can certainly run any antivirus you want on your server. It’s your server. Virtualmin is not an operating system, it is a management tool, it is not preventing you from doing things on your server as though it were a normal RHEL/Alma/Rocky/Ubuntu/Debian server, because it is a normal installation of your OS with our software installed on it. We use standard OS packages wherever possible.
      • Add 4.000.000 signatures to Clamav antivirus - Protect your computer against 0-day malwares with ClamAV! Discover how to increase the detection of your antivirus now
Maldet
Immunify360

chroot / chroot jail / Jailkit

chroot = Change root directory

  • General
    • Not another chroot Question? chroot explained? - Help! (Home for newbies) - Virtualmin Community
      • This is my forum thread.
      • Need confirmation of these
        • chroot = Change root
        • Aesthetic only
        • Chroot only works on
          • port 22 for both SFTP and SSH
          • and the Terminal in the users Webmin
        • ProFTPd controls SFTP on port 2222 and therefore is unaffected by the Virtualmin implementation of chroot.
        • You configure restrictions in ProFTPd.
        • You control what functions and services are added into the Jail by using the jail manager
        • It restricts what commands can be run in SSH for the user. You can add what is allowed in.
        • Any functions/services to be used in the jailed session need to be added.
        • It is not a security feature, but only ‘security via obscurity’
        • Jails are not very useful, it’s just a thing people in the hosting world like. Hides a load of mess from their clients.
        • Chroot does more than jails.
        • The Proper name for this, in the way we are using this feature = chroot jails.
        • If you are not giving your clients SSH access, chroot is pointless.
        • chroot needs root to run and is why it can be dangerous.
      • Questions
        • Why aesthetic only if you can restrict what functions a user has access to with SSH?
        • Where do you configure the SFTP (port 2222) restrictions in ProFTPd?
          • Is this done by hand
          • Webmin → servers → ProFTPD Server
          • ProFTPd jail features?
          • FTP is already restricted to the home page.
        • Does this stop people FTP’ing to the root and seeing files?
        • Does this stop people using SSH getting to the root of the server?
    • My clients access the virtualmin shell automatically as root - Virtualmin - Virtualmin Community
      • Joe: Webmin modules are root access tools, by default. Some can be locked down, but in this case, Virtualmin already has support for granting users Terminal access. You should not grant them access to the Terminal Webmin module. They don’t need it.
      • Tooltip: Be very careful with this option, as most Webmin modules default to providing dangerously complete control over the services they manage.
    • Virtual Server vs. Chrooted Virtual Server - Virtualmin - Virtualmin Community
      • Joe
        • Q: What is the security benefit of chrooted virtual servers vs. normal virtual servers?
        • A: chroot is not a security feature, despite the widespread belief that it is. It basically just hides some filesystem details from the logged in user. And, in fact, a chroot jail can open serious security holes if you don’t understand the implications of putting things into the jail. Though, most of the security risks of chroot jails have been resolved by use of capabilities in the Jailkit packages we provide, I am not entirely confident there aren’t still ways to shoot yourself in the foot. chroot has such a long history of exploitable usage that I am hesitant to say anything nice about it (we added it only after capabilities became universally available across all supported distros and in Jailkit).
      • Ilia
        • Jailkit doesn’t give you any extra security in this regard, and security via obscurity is not really considered. Besides, Jailkit is an additional complexity. There is no need in enabling it to make your server more secure. For instance, I am not using it.
        • If an app (e.g. like WordPress plugin) that runs on one virtual server is hacked, the attacker will not be able to access files under different virtual servers as they are owned by a different user, as PHP scripts are executed as given virtual server owner, although, the hacker would most probably be able to get a list of /home directory (that would depend on PHP configuration though), i.e. see the names of other virtual servers hosted, so if you want to prevent this from happening you would have to use chroot setup.
    • FTP and SFTP for ProFTPD - Virtualmin - Virtualmin Community
      • Joe
        • ProFTPd offers SFTP on 2222 (and FTPS on the usual ports). OpenSSH runs on 22 and also happens to offers to offer SFTP, but its primary purpose is for ssh access…the two can’t share the port, so ProFTPd goes on 2222.
        • If you need the controls that ProFTPd provides (like not allowing running programs), you need to direct users to 2222 or FTPS and don’t give them an SSH login account.
    • Chroot in virtualmin - #3 by gerhard - Developers - Virtualmin Community
      • Joe
        • This is a really old thread, don’t make zombies! None of it is relevant anymore, as chroot jails for both ssh and FTP over SSH is supported right out of the box…you don’t need to configure SSH jails, you just need to turn them on (this uses Jailkit, configurable in the UI, though most folks don’t need to do much with the configuration…some folks may need to add other binaries to the jail).
        • And, FTP over SSH is always available on port 2222 (this use ProFTPd jail features and doesn’t need configuration).
    • Questions about chroot and Virtualmin. | Virtualmin
      • joe
        • I would argue you shouldn't configure chroot ever, if you're using it for security. There are some pretty significant dangers to using it as a security tool. For one, it breaks some of the security features of ssh. For another it introduces a stage in the interaction with your user where they have root privileges (chrooting requires root privileges). If you make a mistake, or there is any insecure element in your chroot configuration, and an exploit occurs it could be dramatically more dangerous than someone merely seeing a few files in /etc. So, while it makes the system seem more secure at first glance, it actually probably makes it dramatically more likely to be rooted.
        • In short, we don't recommend chroot environments. If you need root-like levels of separation, there <i>are</i> good methods for achieving it (Xen, Zones, vservers, etc.), and we have tools for managing those methods (we have a new product in private beta now and entering public beta this week for managing virtualized systems).
    • Virtualmin + SFTP + chroot – The Research Lab
      • This guide examines setting up chroot’ed SFTP-only user accounts under Virtualmin.
      • SFTP is a secure alternative to FTP and FTPS that uses SSH.  With this setup, no FTP server is needed, as the native sshd server is used instead, SSH does not require an SSL certificate (like FTPS), and is usually considered more secure.
      • However, one drawback is that FTP servers typically offer a simple config option to “restrict access to the user’s home directory”, whereas SFTP requires a chroot’ed setup to do this, which is more complex, and not supported natively by Virtualmin (or really any other CP).
    • Virtual Server vs. Chrooted Virtual Server - #4 by dragonsway - Virtualmin - Virtualmin Community
      • Q: Or is the only way to truly achieve that level of security is by chrooting the Virtual Server?
      • A: Jailkit doesn’t give you any extra security in this regard, and security via obscurity is not really considered. Besides, Jailkit is an additional complexity. There is no need in enabling it to make your server more secure. For instance, I am not using it.
      • Q: How does using a normal Virtual Server, per user, prevent a malicious actor from hacking a random user’s Virtual Server and somehow gain access to the core server itself?
      • A:
        • Basic
          • At first, simply make sure that you use standard Virtualmin installation, i.e. install it on a clean state instance, using official install.sh script and that installation goes well (all installation steps are completed successfully).
          • Later, make sure that you use strong passwords for your virtual servers, as well as strong passwords for SSH/Webmin/Virtualmin/Usermin logins.
          • Try using key authentication for SSH and disable plain password authentication (at least for root user).
          • Also, enable two-factor authentication for Webmin/VIrtualmin/Usermin logins.
          • Login failure daemons, like fail2ban will also make it more difficult to brute force your passwords. This is mainly it.
        • Now, in terms of inter-user security
          • if you want to isolate users from one another, simply always create a parent virtual server, which will setup a separate Unix user, as separate Unix user is the main layer of security that just works naturally.
          • If an app (e.g. like WordPress plugin) that runs on one virtual server is hacked, the attacker will not be able to access files under different virtual servers as they are owned by a different user, as PHP scripts are executed as given virtual server owner, although, the hacker would most probably be able to get a list of /home directory (that would depend on PHP configuration though), i.e. see the names of other virtual servers hosted, so if you want to prevent this from happening you would have to use chroot setup.
        • Default Virtualmin installation is very secure by default.
          • Try not to deviate from configuration of what standard installation provides, unless you know exactly what you’re doing. And remember, extra complexity almost always highers the risks of bringing in more potential issues to the field.
      • SSH/Terminal enabled for concern - Virtualmin - Virtualmin Community
        • When I try to enable the terminal and SSH for a website, I notice that each domain owner has read access to the root directories. Is there a way to restrict read access of all files outside the virtual domain directory?
        • You can use jailkit, but to use jailkit you must be aware that all resources that the user needs must be placed in the jail, you also may have to alter the users environment to get the best experience. That said for what reason does a domain owner ssh access ? As most things that a domain owner may need are in the virtualmin/usermin panels. I don’t give Domain owners ssh access, I point them to the relevant function in Vmin/Umin.
        • "be aware that all resources that the user needs must be placed in the jail"
          • Note that Virtualmin Pro users with version 7.9.0 and up, will be able to do it with ease.
        • We setup by default the following sections: 
          perl, basicshell, extendedshell, ssh, scp, sftp, editors, netutils, logbasics
        • "You said php worked out of the box. It does not appear to do that"
          • It does on EL systems. Debian and derivatives don’t have php section defined, so it has to be added manually.
          • Virtualmin Pro can still copy php binary and all dependencies using Extra commands and directories for Jailkit to copy option.
        • "So i have to guess what dependences are required for php?"
          • Nope, this is what Jailkit init program is doing.
          • I think the more we add UI enhancements that make it seem like an easy thing to do, the more likely someone will make mistakes that make their jails breakable (which is actually extremely dangerous on Debian/Ubuntu where the Jailkit binaries do not use capabilities and are running as full root, at least, last time I checked…the RPM uses capabilities, so it’s much safer).
          • The distinction lies in the packaging differences between EL and Debian distributions. Specifically, in the EL distribution, jk_init includes a defined [php] section, whereas this section is absent in the Debian distribution.
          • However, this difference should not affect our users, thanks to a new feature in Virtualmin Pro that automates the process. Users simply need to add php to the Extra commands and directories for Jailkit to copy field, and the system will handle the rest seamlessly.
        • I was always assuming the RPM was packaging the upstream files unmodified, but I guess not. I see there is no php section here: [jailkit] Contents of /jailkit/ini/jk_init.ini
          • I wonder now what is adding [php] section in RPM package?
          • Most probably Red Hat or EPEL?
          • It is an EPEL package, so, whoever maintains the Fedora package.
        • But, also, I don’t know how we make it clear that folks need to understand Jailkit in order to use it safely!
  • What is chroot?
    • chroot - Wikipedia
    • Jailkit - chroot jail utilities
      • Jailkit - a set of utilities to create chroot shells or chroot daemons
      • Jailkit is a set of utilities to enhance the possibilities of chroot jails. Jailkit contains a set of tools and config files to automate the deployment of chroot jails. Jailkit also contains various tools to limit user accounts to specific files or specific commands, configured from a config file. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
    • Jailkit - chroot jail utilities (jailkit 8)
      • Jailkit - a set of utilities to create chroot shells or chroot daemons
      • Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories. The chroot(2) system call is used by jailkit to put the user inside the jail..
      • If you want the user to be able to do just one thing, you can set up the jail so that the user is able to do exactly and only that one thing. For example, if you want the user to be able to run scp, you install a copy of scp in the jail along with just enough support to execute it (e.g., using a limited shell). As you can understand, the fewer executables you have in a jail (and the more their capabilities are limited such as using strict configurations), the more work a hacker needs to break out of it. It is important to note that a chroot jail can be easily escaped if the user is able to elevate to the root level, so it's very important to prevent the user from doing so..
      • A badly configured jail is a security risk!
      • If a jailed user or a jailed process can modify files in (for example) the JAIL/lib/ or JAIL/etc/ directory (i.e., those within the jail directory), the user can bypass security checks and gain root privileges.
      • No directory inside the jail except for the user's home directory or tmp should be writable by the user. Especially the root of the jail should not be writable by the user.
    • Jail Management » Linux Magazine
      • This is a well written article explaining chroot and jails.
      • Setting up chroot jails is no simple task. Jailkit can make this job a little easier by automating setup and configuration.
      • chroot is a way to limit a user account's access to the parts of the directory tree by – as the name of the command implies – changing its root directory. The result is what is known as a chroot or, sometimes, a chroot jail, which draws on the larger system's resources as needed
      • Contrary to widespread misinformation, a chroot is not a security measure unless specifically configured as one.
      • Although confinement in a jail can limit what an uninformed user can do, expert users could escape a jail by creating a second jail within the first.
      • In addition, any process run with root privileges can access resources outside the chroot.
      • Similarly, if a user has permissions for any files outside their home directory, they are not jailed.
      • In addition, any user with root privileges can access the chroot from the main system, including those using sudo
  • Jail configuration
    • Config file: 
      /etc/jalkit/jk_init.ini
    • Webmin --> System --> Jailkit Jail Manager
      • Tooltip:
        • Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.
        • This module provides a user interface for managing the Jailkit jail configuration file (jk_init.ini). With it, you can create, modify, and delete jail definitions.
  • Enable disable chroot for a User/Virtual Server
    • Virtualmin --> System Settings --> Server Templates --> 'A Server Template' --> Administration user --> Chroot jail new domain Unix users
      • Tooltip: This option determines if new top-level virtual servers are by default setup to chroot the domain owner Unix user into a directory that is isolated from the rest of the system.
    • Virtualmin --> Virtual Server --> Manage Virtual Server --> Edit Owner Limits --> Other restrictions --> Chroot jail domain Unix user
      • Tooltip: If enabled, all SSH and SCP access by the virtual server's Unix user will be restricted to his home directory. This also applies to PHP scripts run in FPM or FCGId modes.
  • How to use chroot in virtualmin
    • debian - How to use Jailkit Jail Manager in Virtualmin to restrict users - Unix & Linux Stack Exchange
      • Q:
        • How to use Jailkit Jail Manager in Virtualmin (Webmin 1.892) to restrict users in their homes including virtual website and all services running under user?
        • I am setting up small website hosting service and I must disable access to everything except iser's home.
        • I don't want to use FTP or FTPS! User's will have full SSH access to theri system and they will be able to run for example NodeJS scripts, Teamspeak, etc...
      • A:
        • Virtualmin --> 'Virtual Server' --> Manage Virtual Server --> Edit Owner Limits --> Other restrictions --> Chroot jail domain Unix user: Yes
        • Setting this in a 'Server Template' for your client's first is better.
    • CHROOT issues/questions - Help! (Home for newbies) - Virtualmin Community
      • jimr1
        • I would only use a chroot on a user that has, and will use shell access, and also use the correct utilities to add whatever the sys admin deems fit.
        • As Joe pointed out chroot has not much effect to a web user as they have limited access to the system.
      • Joe
        • You need to add anything you want your chrooted user to be able to use to the jail. To use sendmail, you need to add that command and its libraries to the jail, either using the jk_cp command or adding it to the config file for the jail being created for your users (there are several included jail configs, we default to a quite limited one, for security reasons).
        • This is true of any use of a jail, regardless of control panel being used to manage things. A chrooted user only sees what you put in their chroot. If you want them to use PHP, you gotta give them php (and maybe the specific extra versions they need, if any). If you want them to send mail, you’ve gotta give them sendmail. As I said, there are some defaults included with Jailkit, or you can make your own and tell Virtualmin to use it.
        • The point of a chroot is to restrict what the user can and can’t see and do. It’s quite restrictive by default (and by necessity…it’s not all that hard to accidentally give users the ability to escape the chroot).
      • jimr1
        • a domain owner does not really need access via ssh really with there priv level they can do nothing to the system barr look at directories they have privs to … This is the point of webmin/virtualmin it negates the need for ssh access as webmin/virtualmin has:
          • a File manager that can cover most file operations (upload/download/new/delete + more)
          • a terminal that gives the same access as ssh
          • a lot of things a domain owner would need wrapped up in the virtualmin gui
        • so what do you think the user would benefit from having raw ssh access ?
          • As the virtualmin terminal is that good, to the point I have not broken it yet, On my own server I am thinking of removing native ssh access and using just the virtualmin terminal if the user ever wants to use it.
          • I have found most domain owners seem to use the file manager and the virtualmin menuing system to edit what they need and very seldom use the terminal.
        • It may be true other panels may ‘nurse maid’ a jail by adding virtually everything to the jailed user but perhaps that is not required and the sys admin (i.e you) should have a total say what system files are added to the jail to avoid possible break outs of the jail. Maybe this is just a way of an new way of sys admin to you but it does work, but I guess each to their own
      • Joe
        • The distro had nothing to do with defining the jail configurations (though I guess they could, jails are not a thing most people care about). The upstream jailkit source provides them (and as far as I know, they’re mostly unchanged by the distros that do package jailkit, and our package for RPM-based distros does not alter the jails…we used to fix a bug in one of the jails from upstream, but it’s now been fixed upstream, and we no longer customize it).
        • There isn’t any judgment happening at the distros. They don’t care. It’s just another package to them, and it’s a very rarely used package in most contexts; you won’t find any Debian/Ubuntu/RHEL core documentation about Jailkit, because jails are not very useful, it’s just a thing people in the hosting world like.
        • But, the idea is that you’ll configure the jail to suit your needs or the needs of your users, and with the commands you’re comfortable with them having. There are a handful of predefined jail configurations, and you can create as many of your own as you want. I guess we should spend more time on either documenting that or making the default jail do the usual things people expect to be able to do when they ssh in (but that negates most of the already small security benefit of a chroot jail).
      • Joe
        • We use Jailkit for Jail creation and management (probably most others do, too, except maybe cPanel who have a lot of their own in-house tools and custom build everything), so the Jailkit site is a good place to start: Jailkit - chroot jail utilities
        • Last I checked Debian (and Ubuntu) did not build Jailkit with capabilities, and so they are more likely to be dangerous than on RPM-based distros, where we provide the package and it has capabilities enabled.
        • The chroot is created with full root privileges on those distros, and if exploited at that stage, it would potentially provide root access to the system, not merely a chroot escape (having it build to use capabilities means it only has the ability to create a chroot and maybe one other privilege I can’t recall, so it’s less of a threat, though still potentially problematic).
        • So…I kinda think using chroot jails on those distros is negative for security. The likelihood of an exploit is probably pretty small, if you are careful about what you put in your jail(s) and what permissions they have. It’s an old codebase, and has had lots of time to become well-understood. I recommend reading and understanding this specific page, in particular, Jailkit - chroot jail utilities before using jails.
      • Joe
        • To send mail using the sendmail command, you need to add the sendmail command to the jail, either via jk_cp (for one user jail) or by adding it to the jail configuration file (which will add it to future created jails).
      • Joe
        • And, you will find the default jail configurations in /etc/jalkit/jk_init.ini, and you can modify those, and you can choose which kind of jail is used by Virtualmin (that’s chosen in Server Templates, I believe).
      • Stegan
        • I still don’t understand what the motivation is to use jails?
        • They appear to add nothing but trouble. based on some alleged benefit of additional security.
      • ID10T
        • Worth a read is the Wikipedia entry.
          • A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the .mw-parser-output .monospaced{font-family:monospace,monospace}chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.
        • Also from Linus Torvald 
          So all chroot(2) really does is reset the “/” reference?
          • Yes. Literally. Everything else stays the same, including any open files (and cwd).
          • It’s a “flaw” in chroot if you consider it a jail, but it’s used for so much more than that.
        • Note that the most common use of chroot isn’t actually the “jail” kind of usage, but building and installation environments (ie a lot of package building stuff end up using chroot as a way to create the “target environment”).
          • chroot safety - DEV Community - As seen before, chroot isolates the 'outer' filesystem from a new process started with the command. It's handy, but not safe. With some creativity the process can break its 'chroot jail'.
      • Joe
        • chroot has loads of great uses. A jail is the least interesting, but in web hosting, it became the norm for aesthetic reasons (people didn’t like their customers seeing the rest of the system), so everybody expects us to offer it, so we do.
      • Joe
        • It is mostly aesthetic. What it looks like to a non-technical user to see a list of other user homes when they ls /home. That looks scary, and may bother hosts who don’t want their customer lists being visible (which is reasonable). So, requiring use of ProFTPd connections (whether FTPS or SFTP) can prevent that without needing a chroot jail, if those customers don’t need a shell.
  • Results of my testing
    • When you swap between chroot on/off, the change is not immediate, wait 1-2 min.
    • chroot option only affects SSH on port 22.
    • ProFTPd controls SFTP on port 2222 and therefore you configure restrictions in ProFTPd.
    • With chroot off
      • FTP (port 21)
        • I can only see my test user's home directory.
      • SFTP (port 22)
        • home directory = /home/testuser/
        • I can go above my test user's home directory.
        • I can see other home directories, but cannot access them.
        • I can see server root (/).
        • I can see at lots of files and folders in the root.
        • = Not Restricted by chroot
      • SFTP (port 2222)
        • home directory = /home/testuser/
        • I can go above my test user's home directory.
        • I can see other home directories, but cannot access them.
        • I can see server root (/).
        • I can see at lots of files and folders in the root.
        • = Not Restricted by chroot
    • With chroot on
      • FTP (port 21)
        • I can only see my test user's home directory.
        • = Restricted by ProFTPd
      • SFTP (port 22)
        • home directory = /home/testuser/
        • I can go above my test user's home directory.
        • I cannot see other home directories.
        • I can see server root (/).
        • I can see some files and folders in the root, but not all of them.
        • = Restricted by chroot
      • SFTP (port 2222)
        • home directory = /home/chroot/12345612345699/home/testuser/
        • I can go above my test user's home directory.
        • I can see other home directories, but cannot access them.
        • I can see server root (/).
        • I can see at lots of files and folders in the root.
        • = Not Restricted by chroot

Housekeeping

  • Is there a reason that Virtualmin keeps so many previous kernals? - Help! (Home for newbies) - Virtualmin Community
    • Virtualmin does no such thing. Virtualmin is not your package manager.
    • Just run the following after kernel updates: 
      apt clean && apt autoclean && apt autoremove
      • You can also automate this by creating a bash script that runs the above whenever a kernel update happens.
    • Q: Yes… but we are always told to not do things outside of Virtualmin… So if we are updating via Virtualmin…
    • A: Though I would recommend being careful with autoremove. You need to read what it’s doing and make sure you understand what it’s removing before approving it.
    • Note the search term: linux-image
  • Update Detected Operating System
    • Update Detected Operating System - What now? - Virtualmin - Virtualmin Community
      • Joe
        • It literally updates the version number in the dashboard. I agree it feels weird to make it a dramatic looking thing. Edit: Though, I wonder if a major version bump would lead to new config files (the files that determine defaults for the OS) being copied in some cases. I’ll have to check.
        • By the time the notice appears there is nothing to install. The OS upgrade is done (and Webmin didn’t do it…Webmin never automatically updates anything, you would have had to have approved any upgrades Webmin did…you might also have automatic updates enabled at the OS level, but that’s none of Webmin’s business). But, minor version updates are just that. They aren’t something to get crazy about. You should have regular known-good backups, of course, but minor updates are not expected to be disruptive.
      • Ilia
        • By clicking this button, you update the Webmin configuration to match the current minor version of the OS. If Webmin has new settings for the updated OS version, these will be added to the config (on the next Webmin upgrade). Changing the OS completely or distro upgrading might cause issues, though it depends.
        • However, there’s no need to worry in your situation. The Ubuntu updates you’re dealing with are minor and don’t have any major changes that could cause problems. You can click on the link to read the Release Notes for more details about the minor release. Or, just click the ‘submit’ button to update the Webmin config and remove the alert.

Troubleshooting

  • Diagnostics
    • check-config (CLI) – Virtualmin 
      virtualmin check-config
      • This program checks your system's Virtualmin configuration, outputting the progress of the check as it goes. If any serious problems are found it will halt and display the error found.
      • This program can automatically update some configuration files if needed (i.e. if Apache is configured to use a PHP version that's not installed).
    • Troubleshooting Websites | Virtualmin — Open Source Web Hosting Control Panel
      • Web server configuration - Troubleshooting web server issues involves checking various elements, from configuration settings to log files. Common problems are not always evident as errors in error_log, so a comprehensive approach is needed.
      • Webserver logs - The first step in troubleshooting is to examine the log files. Each virtual server or sub-server in Virtualmin has its own log files located in /home/example/logs (replace example with your server name). The error_log is typically the most informative, but access_log may also provide useful insights.
  • Using the logs
    • Email from Client doesn't always work - Virtualmin - Virtualmin Community
      • Modern systems send most logs to the journal. You should get familiar with it (the journalctl command is the standard tool for searching/tailing logs in the journal). The postfix, dovecot, and saslauthd units are probably the relevant ones for your problem.
      • Webmin has the System Logs Viewer module that defaults to include the journal (instead of the System Logs module, which works with various syslog implementations). But, for anything complicated, the journalctl command is still your most capable option.
  • Locked out of Webmin/Virtualmin / Your IP has been blocked
  • Connection issues
    • Check the following settings are correct
      • Webmin --> Networking --> Network Configuration --> Hostname and DNS Client --> DNS servers: should have 127.0.0.53, then you add 10.0.0.1 (if not DNS hijacking 9.9.9.9 or 8.8.8.8 etc..)
      • Webmin --> Networking --> Network Configuration --> Routing and Gateways --> Default router: this is set to 'None (or from DHCP)', change this to 'Gateway: 10.0.0.1'
    • If you can access you server locally but not from the outside check the following
      • NIC
        • Check to see if the gateway is set on the Virtualmin server's NIC
        • Check which route is being used if you have more than one NIC
      • DNS
        • Split DNS configuration in your router - If this is being used do you have the correct entries.
        • Are the DNS and nameserver entries correct at your registra
        • Host file entries on your local computer
        • Are the router DNS override entries correct.
        • Do you have DNS hijacking running on the router and this is causing issues.
        • Are your virtual servers configured to use your external IP address.
      • Routing
        • Is your router (ie LuCI/LineageOS or pfSense) running a Webserver on port 80 and 443, if so, change these ports on the router.
        • Have you setup port forwarding / NAT properly
        • NAT Reflection (optional) - If enabled, is this configured and running correctly
        • Is there a firewall blocking ports 80 and 443 on the router
        • Remove IPv6 from the router. Not everything supports this correctly.
      • Virtualmin
        • Virtualmin --> System Settings --> Re-Check Configuration
          • this makes sure there are no obvious issues
        • Create a new Virtual server with a random domain name:
          •  i.e. chocolatefactory123.com
          • use windows host file override an see if it loads normally.
          • This might also fix the other sites.
          • don’t install a lets encrypt SSL
          • When I did not have any configure virtual servers adding one finished whatever Virtualmin needed to do and then it works so it might help here.
        • You have to look at the logs.
        • Put the website on the correct IP address
          • Virtualmin --> Manage Virtual Server --> Change IP Address
        • Virtualmin --> system Settings --> Re-Run Install Wizard
          • This is useful if you have made some changes and things are not working.
          • Do this last to prevent issues and potetially wiping out some of your settings.
          • Update Incorrect IP Addresses if prompted.
        • Virtulamin --> Virtualmin Configuration --> Configuration category: Networking settings --> Network interface for virtual addresses
          • Cehck this is configured correctly, especially if you have 2 network cards.
          • Tooltip: If your server has multiple interfaces, you may choose which interface to use for your virtual domains. If SSL or FTP virtual hosts are enabled, a new IP will be required for each domain on which the feature is enabled. Unless configured otherwise during domain creation, the new addresses will be created on the interface specified here.
    • Related links and articles
      • DNS Frequently Asked Questions – Virtualmin
        • Virtualmin error: 127.0.0.1 isn't listed in /etc/resolv.conf
        • How do I setup nameservers for my server?
      • Https website unreachable - Help! (Home for newbies) - Virtualmin Community
        • Take luci/lineageos gui off port 80 http and 443 Https
        • From what you have told me it might not be a routing issue but a misconfiguration some where.
        • Create a new Virtual server:
          • with a random domain name, i.e. chocolatefactory123.com , use windows host file override an see if it loads normally. This might also fix the other sites.
          • don’t install a lets encrypt SSL
          • When I did not have any configure virtual servers adding one finished whatever Virtualmin needed to do and then it works so it might help here.
        • The ip in the example.nl virtual hosts file 10.xx.xx.10 change to 178.xx.xx.27 and remove the ipv6 address (for now) and restart apache, then try
          • Virtualmin --> Manage Virtual Server --> Change IP Address
        • The issue - 2 NICs
          • Ok, you have a internal and external address, weird.
          • Ah, it’s start to ring a bell. Not, not weird. This is a rackserver with 2 connections. It needs both since it acts as a node, where the other network is used for internal communictaions between nodes. I think that’s where it might confuse this setup.
          • I feel I should try and rerun the wizard and try to force him to ignore the 10.xx.xx.xx addresses. Until now I thought this was somehting that virtualmin created himself to handle internal requests…
          • Not sure how you would make eth1 the main IP. I can’t remember selecting the IP in the wizard.
          • It will allow me to change the ens3 to ens4 and come up with this refresh option for all domains. It worked instantly.
          • Ran `Re-Run Install Wizard`
          • Updated Incorrect IP Addresses.
  • Resetting back to initial values as set in your Server Template
    • Virtualmin --> Limits and Validation --> Validate Virtual Servers --> Reset Features
    • This feature reset values of your Virtual Server back to how they are specified in the asigned Server Template.
    • You can select multiple sections to reset.
    • Caution is advised as I do not know if this will delete databases and email accounts etc... if in doubt make a backup first.
  • Service monitors not shown on dashboard / Enable System Monitors
    • Webmin --> Tools --> System and Server Status --> Settings Cog -->  Show monitors on Dashboard: Yes
    • Make sure the required monitors are enabled
  • No 7z file support in File Manager
    • You get the following error in the File Manager
    • How to Use 7Zip in Ubuntu and Other Linux
      • Cannot extract .7z file in Linux? Learn how to install and use 7zip in Ubuntu and other Linux distributions.
      • the 7Zip package in Linux is named p7zip, starting with the letter ‘p’ instead of the expected number ‘7’.
    • Run the following command from the terminal 
      apt-get install p7zip-full
  • Folders extracted from 7-zip (7z) archives in File Manager are 700
  • Dashboard Web Terminal does not work and comes up with the following error 
    Failed loading terminal : WebSocket connection error

  • Show password button is missing
  • Dashboard is showing the wrong IP address for the 'System hostname'
    • The IP address being shown is an old DHCP IP address that this server used a long time ago while being setup.
    • Virtualmin --> Re-Check Configuration
    • Webmin --> Networking --> Network Configuration --> Network Interfaces
      • Check the Static IP is correct.
      • Check you are not using DHCP instead of a static IP
    • Webmin --> Networking --> Network Configuration --> Host Addresses
      • If you see the IP address listed here, edit it and change it to the correct IP address.
      • Restart the server or you might be able just to flush/refresh DNS.
  • Right clicking on the Virtualmin tab no longer opens the dashboard
    • This is not a feature of Virtualmin.
    • Theme Configuration --> Default page for Virtualmin
      • This is only when you open Virtualmin for the first time (i.e. login.)
    • Right clicking on the Virtualmin tab opens the same page in another tab only, so if you are on the dashboard it will open a new tab on the dashboard.
    • If you are on the Webmin tab, when you click on the Virtualmin tab then the first vitual server will be opened on the 'Virtualmin Virtual Servers' page.
    • Workaround
      • Right click on the Virtualmin tab to open a new tab
      • Left click on the Virtualmin tab to take you to the dashboard, or just click on the dashboard link or icon in the menu.
    • On Webmin tab, Virtualmin tab right click does not respect `Default page for Virtualmin` · Issue #796 · virtualmin/virtualmin-gpl · GitHub
      • This fixes the issue on newer versions of Virtualmin.
  • Dashboard - Display Corruption
    • Webmin/virtualmin display corruption (term, server graphs) - General Discussion - Virtualmin Community
      • The server usage graphs, terminal module and favicon are corrupted - they are filled with vertical colored lines
      • I managed to get the terminal module fixed by disabling the webgl extension
      • This is nothing to do with the server or Virtualmin but is caused by your browser. I had this issue and discovered it happens when the canvas is blocked. If you are using an extension like Canvas Blocker or LibreWolf browser you can whitelist the domain. Or you can disable the “Enable ResistFingerprinting” setting in LibreWolf. It also seems to work fine in other browsers.
      • For Firefox one can add/edit the additional permission for a given domain and allow the site to “Extract canvas data”
  • Webmin GUI not working as expected after an update.
    • Theme Configuration --> Clear Cache

Developers Only

  • Code
  • WebHooks
  • Reporting and Supporting
    • Adding a Tooltip to Virtualmin - Virtualmin Community
      • There are tooltips where help files exist. There was a time when it covered pretty much every Virtualmin option, but it’s been a few years since anyone was able to spend the time needed to keep it up to date.
      • Volunteers are always welcome. The tooltips are in a simplified HTML-based template language (covered here: Module Development - Webmin Documentation). You can find the existing tooltips and other online help here: virtualmin-gpl/help at master · virtualmin/virtualmin-gpl · GitHub
      • Adding a tooltip is super easy. You just have to create a file with the same name as the item label (or input id or name for the field in Authentic Theme). You don’t need to look at the source, you can just use a browser developer tools selector thingy to find out the ID for a field. Once you have the ID you just create a file named $ID.html (obviously replacing $ID with the ID you found in the form).
      • That said, I’m poking around right now, and it seems like we’ve still got pretty good help coverage. All of the core Virtualmin pages have tooltips for nearly all items. If you’re finding a specifically confusing item that doesn’t have a tooltip, feel free to make a PR to add it, or create an issue at github to request somebody else add it. (And, if it’s confusing, it might be that we need to improve the UI rather than add more docs, or maybe a little of both.)
      • Webmin is a much larger project and doesn’t have as much hand-holding, but you’ll still find some of the better loved modules have either pretty good online help (top left corner ? question mark) or tooltips or both. Postfix is a good example with excellent help and tooltip coverage (mail is so confusing for so many people we put a ton of work into making sure people could find help it they were looking).
  • Remote API

 

 

 

Installation Instructions

Follow the instructions below in order. and do not create any accounts until your are told to.

Not every setting is mention, but I have outlined the mains one to get you going and have a good setup to work with.

Preperation

  • Install your choosen Linux server / Base OS
  • Choose a hostname for your server (eg: server.example.com)
    • This is the name that you will call your Virtualmin server and it needs to be a Fully Qualified Domain Name (FQDN)
    • You can't use this hostname (eg: server.example.com) for a virtual server as it will break things in particular the routing/mapping of the email service.
      • Best practices for choosing the system hostname during setup - #4 by hennie.dv - Webmin - Virtualmin Community
        • “If your system does not have a fully qualified hostname, the script will ask you to provide one. The name of the system can be anything you want, but it must be fully qualified and should not match a name you’ll be hosting mail for. For example, if you have domain virtualmin.com you might name the server srv1.virtualmin.com or ns1.virtualmin.com. What name you choose is unimportant, but it must be fully qualified, it must not match a domain you’ll be managing in Virtualmin, and it must resolve, for several mail operations to work correctly.”
        • You should not name your server the same name as something you’ll be hosting in Virtualmin. It can be literally any other fully qualified domain name.
      • Primary SSL cert for main domain - #31 by MantasU - Virtualmin - Virtualmin Community
        • It would never effect Virtualmin. Virtualmin isn’t the thing that has a problem with having multiple things with the same name. The biggest issue would be Postfix, so if you try to virtual host mail on the same name as the hostname of the system, that’s a problem (because then postfix tries to map user@domain.tld to user@domain.tld which is nonsensical). There are other implications for other services. Virtualmin is not among the service that will be confused, though.
        • But, I recommend you don’t name your server something you want a website for. Just name it anything else. You never have to think about the name again or use it for anything.
        • You never have to use it for anything. You never have to worry about getting a certificate for it. You never have to worry about whether someone gets a cert warning for it, because you never have to give out the system hostname as an address that people can connect to. It’s not the main domain.
        • Just don’t name your system some name you want to use for something in Virtualmin. It’s super simple. Don’t make your system hostname important.
        • Isn’t the hostname used for email delivery? It is used when sending mail (though it doesn’t necessarily have to be, Virtualmin supports sender-dependent maps), and you don’t need a server certificate to operate as a client, which is what happens when sending mail.
        • For receiving mail, you can use any name you want. It is never the hostname of the system (it can’t be, because all mail in Virtualmin is virtually hosted…again, if you try to virtual host a domain that is the same as the hostname of the system postfix is trying to map user@domain.tld to user@domain.tld which is nonsense).
      • DKIM - Should there be 2 domains in this box - #6 by shoulders - Virtualmin - Virtualmin Community
        • You should not name your server the same as a domain name you will be hosting mail for in Virtualmin (or otherwise virtually hosting mail for). It has some of the same words, but it’s roughly the opposite direction (receive vs. send) of what you’re saying.
        • Your server hostname probably will be somewhere in the mails you send, and it’s supposed to be. It’s how the server identifies itself to other servers.
        • Edit: The key word here is virtually or virtual. Anything in the virtual map (which is what Virtualmin is managing when you create email domains) should not be the same as the name of the server.
        • Edit2: I feel like I should explain why this is, so maybe it makes more sense. The virtual map tells Postfix, “Mail for this domain can be relayed to this server”…basically mapping mail @domain.tld to a user @ the hostname of the server. But, if the name of the server is domain.tld and you have @domain.tld in virtual, you are saying, “accept mail for @domain.tld and forward it to @domain.tld”. Now, does that make sense?
      • Postfix sender_dependent_default_transport_maps per domain outgoing IP – The System Admin’s Blog
      • Use Postfix Transport Map & Relayhost Map For Flexible Email Delivery - We can configure Postfix transport_maps and sender_dependent_relayhost_maps so that some emails are delivered relay host, other emails are sent directly to recipients.
      • sender-dependent maps = can set which IP and/or route to use for a particular domain to send email.
      • There are exceptions if you are an advanced user:
        • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Create host default domain with Let's Encrypt certificate
        • Manually create a virtual server but disable the mail service.
        • In future version of Virtualmin the Mail services will be disabled on a virtual server using the server's hostname.
      • Catch-all email address fails when hostname - Virtualmin - Virtualmin Community
        • You should not use a bare domain (e.g. example.tld) as the hostname of your Virtualmin server, especially if you will be hosting that same domain name within Virtualmin.
      • Does virtualmin prevent you from creating a Virtual server using the hostname - Virtualmin - Virtualmin Community
        • No, but in future version of Virtualmin the mail servicce will be disabled permanently.
        • Sure, that’s fine. I just mean “you do not need to use it for anything in Virtualmin”. Not that you can’t have a sensible hostname that makes monitoring and alerting comprehensible. My point is that people keep wanting to use it for the same things that are virtually hosted in Virtualmin, which means there are two things with that name, which is a nonsensical thing to do. I think it’s just a conceptual leap that folks aren’t making; what you do in Virtualmin is virtual, it is not the physical host. Mail in Virtualmin is configured in the virtual map in Postfix. Websites configured in VirtualHost sections in Apache configuration. The system hostname is the system itself, and not anything virtually hosted on it.
  • Choose your Primary Domain Name (eg: example.com)
    • This is domain name of the virtual server that you will setup with your hosting website, WHMCS, CRM, Client Portal, Centralised Apps or anything else related to your hosting business.
    • You can use example.com, www.example.com, anynamehere.example.com
      • These will not interfere with server.example.com as they are different domains.
      • The domain you use must be a FQDN.
    • As mentioned above, do not use your server's hostname for a virtual server as it will break the mail server.
  • Nameserver / DNS
    • Make sure your hostname and primary domain nameservers are pointing to the IP where your Virtualmin server will be.
    • You can just point A records to Virtualmin but for this tutorial it is assumed youare pointing your nameservers.
    • Don't forget that DNS changes can take up to 48 hours.
  • rDNS (reverse DNS / PTR)
    • Configure you rDNS to match what you will use for your Virtualmin's hostname eg: server.example.com
    • Not having this set correctly nowadays can lead to your email not getting delivered or at the very least sent to the SPAM folder.

Installing

  • Downloading and Installing Virtualmin – Virtualmin - Usually, getting started with Virtualmin can be done with a few simple steps, using our automated install script. The install script will setup your package manager, usually apt-get or yum, and then download our packages as well as all of the necessary dependencies for running Virtualmin.

Post-Installation Wizard

I will give you the options I used for the wizard

  • Memory use
    • Preload Virtualmin libaries?: No
    • Run email domain lookup server?: No
  • Spam filtering
    • Run SpamAssassin server filter?: No
      • This alters: Virtualmin --> Email Settings --> Spam and Virus Scanning --> SpamAssassin client program
  • Database servers
    • Run MariaDB database server?: Yes
    • Run PostgreSQL database server? No
  • MariaDB password
    • as set
  • DNS configuration
    • Primary nameserver: ns1.example.com
    • Secondary nameservers (optional): ns2.example.com
    • NB: make sure "Skip check for resolvability" is ticked
  • Now configure the optional features
  • Password storage
    • Password storage mode: Only store hashed password
  • MariaDB database size
    • MariaDB configuration size: use the suggested option
  • SSL key directory
    • Location for SSL certificates: Per-domain directory under /etc/ssl/virtualmin
      • Using letsencrypt by default - Webmin - Virtualmin Community
        • Q: Is it the classic way to do?
        • A: Indeed, Virtualmin defaults to storing virtual server SSL certificates in the /etc/ssl/virtualmin directory. This setup safeguards against accidental deletion of SSL certificates by users from their home directories, which could otherwise cause the webserver to fail to start.

Housekeeping

  • Delete ./root/install.sh
  • Make your root and primary user have very strong passwords.
  • Disable Webmin root user

Server Templates

These are used for the intial build of a Virtual Server and various POST processes such as creating a database and resetting DNS Zones. Changes are not actively reflected to accounts using the template.

Templates can be found here: Virtualmin --> System Settings --> Server Templates

This is how I have setup my templates. I will have internal websites and client websites so will need to be setup appropriately as shown below:

  • Default Settings = The default template for top-level virtual servers.
  • Settings For Sub-Servers = This is a pre-configured template for Sub-Servers which cannot be deleted.
  • Internal = This top-level template will be used for my internal websites where I want all the modern technlogies runnning.
  • Clients = This top-level template will be used for my clients who just want their websites to work and are not be bothered about advanced things such as DNSSEC and DMARC.

Configure 'Default Settings' template

Virtualmin --> System Settings --> Server Templates --> 'Default Settings' --> Edit template section:

  • Basic settings and usage
  • Administration user
    • Chroot jail new domain Unix users: No --> Yes
  • Home directory
    • Substitute variables in contents: No --> Yes
  • DNS domain
    • Master DNS server hostname: ns1.example.com --> ns1.${DOM}
    • Additional manually configured nameservers: .... --> ns2.${DOM}
    • Add system and virtual server's IP addresses? Ticked --> Unticked
      • This stops you internal IP getting added to your SPF records.
    • Action for other senders: Discourage (~all) --> Disallow (-all)
    • Virtualmin --> System Settings --> Server Templates --> Default Settings --> Edit template section: DNS domain --> Add sub-domain DNS records to parent domain: yes
    • TLSA: enabled when it is added
  • Mail for domain
    • Mail aliases for new domains: Listed below --> None
      • These are the orginal aliases below:
      • You can keep them if you want or move them to another email account or even just set them up as forwarders later rather than sitting on your system accounts mailbox which you will never check.
    • Default quota for mail users: 50MiB --> 250MiB
  • Website for domain
    • Directives and settings for new websites: Removed index.php4 and index.php5 if present from the DirectoryIndex statement. (This has been removed from the default template in new versions of Virtualmin)
       
      DirectoryIndex index.php index.php4 index.php5 index.htm index.html

-->

DirectoryIndex index.php index.htm index.html
      • If your virtual server is aleady created you need to edit these 2 locations 
        Virtualmin --> Web configuration --> Configure SSL Website --> Edit Directives
Virtualmin --> Web configuration --> Configure Website --> Edit Directives
    • CGI script execution mode: CGI scripts disabled
      • Only enable this if you know what it is and why you want it.
      • Default is suEXEC wrapper.
      • CGI/FasCGI scripts are now a legacy technology.
    • Port number for virtual hosts: 80
    • Port number for SSL virtual hosts: 433
    • Enable HTTP2 protocol for new websites: still on default = on
    • Redirect all HTTP requests to HTTPS: untickec --> Ticked
      • let your CMS or user via the htaccess handle this.
  • SSL website for domain
  • Log file rotation
  • MariaDB database
    • Prefix for additional databases: None --> ${PREFIX}_
    • Create database as well as login: Yes --> No
      • This stops a database getting created which is made from your username.
    • Default database character set: <MariaDB default> --> utf8mb4 (UTF-8 Unicode (utf8mb4))
    • Default database collation order: <MariaDB default> --> utf8mb4_unicode_ci
  • PostgreSQL (this section might not be present)
  • ProFTPD virtual FTP
  • Spam filtering
  • Webmin login
  • Virtual IP address
  • Virtual server creation
  • Plugin options
  • Default script installers
  • Mail client auto-configuration
  • PHP options
    • Default PHP version: Highest available
    • PHP configuration variables for scripts: memory_limit/At least/32M --> none
      • For default, there was only 1 configure option as shown below:
        • PHP variable name: memory_limit
        • Comparison: At least
        • Value for variable: 32M
      • Tooltip: This table can be used to enter PHP configuration settings that will be added to the web virtual host of any server that has a third-party script installed. It can be useful for increasing memory limits or making other site-specify PHP config changes to satisfy script requirements.
      • This section is broken and I am not 100% what it does, it has been reported and will be looked at: Server Template - Remove `PHP configuration variables for scripts` · Issue #714 · virtualmin/virtualmin-gpl · GitHub
      • If your global php.ini files are set correctly, then this should not be needed for most people.
  • Administrator's Webmin modules
    • PostgreSQL Database Server (for database): Yes --> No
    • Change Password: User password --> User and mailbox passwords
    • AWStats Reporting (for viewing reports): No --> Yes
  • New mailbox email
    • Send email to: User's mailbox --> User's mailbox + Virtual server owner
  • Updated mailbox email
    • Send email to: User's mailbox --> User's mailbox + Virtual server owner

Setup your Custom Server Templates

Virtualmin --> System Settings --> Server Templates --> Create an empty template

  • I have only included sections where you need to make changes, leave the rest on default or 'as is'.
  • E.g. Internal, Clients
  • When making your new template, select 'Default for everything' except that which you want to change. If you choose 'Create an empty template' create a blank one, this is exactly what will happen.

Internal

  • Basic settings and usage
    • Template name: Internal
  • DNS domain
    • Add system and virtual server's IP addresses?: ticked --> unticked
    • Add DMARC DNS record: Yes, with policy below
    • DMARC policy for emails that fail SPF or DKIM: Reject Email
    • Create DNSSEC key and sign new domains: Yes
    • DNSSEC cryptographic algorithm: ECDSAP256SHA256
  • PHP options
    • Default PHP execution mode: FPM
      • it is set to mod_php because of a bug.

Clients

  • Basic settings and usage
    • Template name: Clients
  • PHP options
    • Default PHP execution mode: FPM
      • it is set to mod_php because of a bug.

Setup your Sub-Server Templates

These are used for setting up sub-servers and their options are inherited from 'Default Settings' template, not the parent's template.

This system is not ideal and might get some inprovement, however the 'Settings For Sub-Servers' template does not need much altering for most people at this time. If you did need to make any changes I would recommend copying this template and name it to match the top-level server templates they will be used in conjuction with (ie. Internal, Client).

These Sub-Server templates only really work if they do not have mail, and the DNS is managed by the parent so the inheritance from the 'Default Settings' rather that the parent's template does not become and issue. When it does you must make copies of the 'Settings For Sub-Servers' template and work on them instead of a single template for Sub-Servers.

Settings For Sub-Servers

  • DNS domain
    • Add system and virtual server's IP addresses?: ticked --> unticked
    • Add DMARC DNS record: Yes, with policy below
    • DMARC policy for emails that fail SPF or DKIM: Reject Email
    • Create DNSSEC key and sign new domains: Yes
    • DNSSEC cryptographic algorithm: ECDSAP256SHA256
  • PHP options
    • Default PHP execution mode: FPM
      • it is set to mod_php because of a bug.
  • MariaDB database
    • Prefix for additional databases: From default settings --> Template: ${PARENT}_
      • This will use the parents username as the prefix which keeps the database names all consistent.

Server Template House Keeping

Theese options now need to be set and are common to all templates.

  • Set your default Server and Sub-Server templates

Account Plans

These control things like: Permissions, Features, Bandwidth and Disk Quotas.

  • Setup your Account Plans
    • Virtualmin --> System Settings --> Account Plans --> Add a new account plan
      • Examples
        • Primary(5000Mib)
        • Internal(Unlimited)
        • Bronze(1000MiB)
        • Silver(1500MiB)
        • Gold (2000MiB)
      • Allowed virtual server features
        • Automatic, based on initial features
          • Do not change the services that were created at setup (enabled/disabled status), leave them as they are.
          • Not really automatic.
      • Allowed capabilites
        • Automatic, based on other limits
          • This is ok for your clients but can be restrictive. Always check with a dummy account the options are suitable.
        • Selected below
          • Internal Account Plan manual settings - These might be alright for your clients if they have some IT experience.
  • Set Default Account Plan
    • Virtualmin --> System Settings --> Account Plans --> Set default plan to: Bronze

Usermin (optional)

This needs to be done if you are going to allow clients to login.

  • Configure available modules for Usermin
    • Webmin --> Usermin Configuration --> Available Modules

Servers / Services

Apache

  • Enable the following Apache modules
    • Webmin --> Servers --> Apache Webserver --> Global configuration --> Configure Apache Modules
    • brotli
      • This requires more than enabling the apache module.
      • Gains over gzip/deflate are not massive.
    • expires
    • headers
    • You must restart the Apache server for the changes to be reflected.
      • Webmin --> System --> Bootup and Shutdown --> apache2.service
  • Add the following recommended security headers (from wordpress, you do these from the CMS not Apache)

PHP

  • Install additional PHP versions as required
  • Configure the values in the global php.ini files for each version of PHP version as required
    • Webmin --> Tools --> PHP Configuration
    • disable_functions: 
      # Short Version
disable_functions = system,passthru,popen,exec,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDecode,xmlrpc_entity_decode,fp,fput,shell_exec,apache_get_modulesi,

# Default Virtualmin 7.4 FPM
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,

# Combined Version
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,system,passthru,popen,exec,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDecode,xmlrpc_entity_decode,fp,fput,shell_exec,apache_get_modulesi,

NB: mail can be added to prevent the use of mail()
    • You must restart the PHP services for the changes to be reflected.
      • Webmin --> System --> Bootup and Shutdown --> php*
  • Install missing PHP modules
    • Via either of these methods
      1. Command Line 
        apt-get install php-{curl,gd,imagick,intl,zip}
        • Notice the php version number has been removed
      2. Webmin --> System --> Software Package Update --> Only new
        • php-curl
        • php-gd
        • php-imagick (this might need ImageMagic installing)
        • php-intl
        • php-zip
    • NB: The MultiPHP install commandline will have a more complete list of extensions to install.

MariaDB (Database)

nothing to change

PostFix (Email)

  • Let SpamAssassin check blocklists, not Postfix, leave this to be an MTA only.
  • All information for the commands below can be accesss by using https://www.postfix.org/postconf.5.html#YourCommandHere
  • Restrictions (values) are separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. Restrictions are applied in the order as specified; the first restriction that matches wins.
    • Separating restrictions by using a comma and space ", " is preferred as shown if you look at the live configuration using postconf -d
  • In addition, you can use any of the following generic restrictions. These restrictions are applicable in any SMTP command context.
General Resource Control
SMTP Server Options
  • smtpd_recipient_limit
    • Webmin --> Postfix Mail Server --> SMTP Server Options --> Max number of recipients accepted for delivery: 50
    • Default: 1000
    • This parameter restricts the number of recipients that the SMTP server accepts per message delivery.
  • disable_vrfy_command
    • Webmin --> Postfix Mail Server --> SMTP Server Options --> Disable SMTP VRFY command: Yes
    • Default: No
    • This parameter allows you to disable the SMTP VRFY command. This stops some techniques used by spammers to harvest email addresses.
    • SMTP problems : Check if Mailserver answer to VRFY and EXPN requests
      • VRFY and EXPN ask the server for information about an address. They are
        inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc.
      • Solution: Disable VRFY and/or EXPN on your Mailserver.
    • Disabling VRFY on InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 | TREND
      • The VRFY clause is a method of verifying the existence of a user on a mail server.
      • You can either verify the existence of particular user or use a wildcard verify (VRFY *) to ask the server to return the complete list of users.
      • On IMSVA version 8.2, VRFY is disabled by default but not on lower versions. The wildcard option (VRFY *) can be exploited by spammers to bulk harvest email addresses so it is necessary that you disable this clause.
    • mail server - Exim - Disable VRFY and EXPN? - Stack Overflow
      • A penetration test has been run on one of my servers that runs Exim for mail and they have this complaint
        • Description: The Mailserver on this host answers to VRFY and/or EXPN requests. VRFY and EXPN ask the server for information about an address. They are inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc. OpenVAS suggests that, if you really want to publish this type of information, you use a mechanism that legitimate users actually know about, such as Finger or HTTP.
        • Solution: Disable VRFY and/or EXPN on your Mailserver. For postfix add 'disable_vrfy_command=yes' in 'main.cf'. For Sendmail add the option 'O PrivacyOptions=goaway'.
      • RFC 2505 states:
        • Both SMTP VRFY and EXPN provide means for a potential spammer to test whether the addresses on his list are valid (VRFY) and even get more addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed to issue these commands. This may be "on/off" or it may use access lists similar to those mentioned previously.
        • Note that the "VRFY" command is required according to RFC821
        • To me, this suggests always return a 252, rather than turning if off completely.
      • 2.4. The VRFY and EXPN commands - 49. SMTP processing | exim.org
    • [SOLVED] - postfix: disable answers to VRFY and EXPN requests? | Proxmox Support Forum
      • Hi there,our vulnerability scanner recommends us disabling answering VRFY and EXPN requests by configuringdisable_vrfy_command=yes. Is it safe to do this in a PMG installation?
      • I just did the change, everything looks good so far. I will observe this the next few days and report back.
    • How to disabale VRFY and/or EXPN requests - Support - NethServer Community - Hello, Today, I was doing some security checks on Nethserver using OpenVAS via Ubuntu 18.04. OpenVas find the following vulnerability and suggest me a solution to disable the VRFY and EXPN request on Mailserver. But I don’t know how I can disable these kinds of requests?
  • smtpd_helo_required
  • smtpd_helo_restrictions
    • Webmin --> Postfix Mail Server --> SMTP Server Options --> Restrictions on sends in HELO commands: 
      reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
    • Default: Default
    • No tooltip
    • Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command.
    • The HELO handshake is handled by the server (hostname) and not the particular website or domain.
  • smtpd_sender_restrictions
    • Webmin --> Postfix Mail Server --> SMTP Server Options --> Restrictions on sender addresses: 
      reject_unknown_sender_domain, reject_non_fqdn_sender
    • Default: Default/Empty
    • These restrictions are specific to the sender address received with the MAIL FROM command.
    • It's generally polite to say who the mail is from. Again, very few real mail do not have a return address, most who don't are spam.
    • reject_non_fqdn_sender
      • Reject mail which doesn't have a valid to and from domain:
    • reject_unknown_sender_domain
      • Reject mail where there is no known sender domain:
  • smtpd_recipient_restrictions
    • Webmin --> Postfix Mail Server --> SMTP Server Options --> Restrictions on recipient addresses: 
      reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination
    • Default: permit_mynetworks permit_sasl_authenticated reject_unauth_destination
    • These restrictions are specific to the recipient address that is received with the RCPT TO command.
    • reject_non_fqdn_recipient
      • Reject mail which doesn't have a valid to and from domain:
    • reject_unknown_recipient_domain
      • Reject mail where there is no known reciever domain:
    • Reject pipelining and other than local destinations by unautorized users:
      • reject_unauth_pipelining
        • Reject the request when the client sends SMTP commands ahead of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries.
        • With Postfix 2.6 and later, the SMTP server sets a per-session flag whenever it detects illegal pipelining, including pipelined HELO or EHLO commands. The reject_unauth_pipelining feature simply tests whether the flag was set at any point in time during the session.
        • Postfix supports a technique known as pipelining that speeds up bulk deliveries of email by sending multiple smtp commands at once. The protocol requires that clients first check that the server supports pipelining. Many spammers send a series of commands without waiting for authorization, in order to deliver their messages as quickly as possible. reject_unauth_pipelining stops mail from bulk mail software that improperly uses pipelining in order to speed up deliveries.
      • reject_unauth_destination
        • Checks the email destination resolves correctly with no unexpected routing.
        • It tells postfix not to accept messages with recipients at domains that are not hosted locally or that we serve as a backup server for. Without this line, our server would be an open relay.
SMTP Client Options
  • smtp_use_tls
    • Webmin --> Postfix Mail Server --> SMTP Client Options --> Use TLS for SMTP connections?: No
    • Default: No
    • No tooltip
    • Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if it is not configured. With Postfix < 2.3, if the TLS handshake fails, and no other server is available, delivery is deferred and mail stays in the queue. If this is a concern for you, use the smtp_tls_per_site feature instead.
    • This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead.
    • This option might be obsolete and should note be used. Leaving it on default removes it?
  • smtp_sasl_security_options
    • Webmin --> Postfix Mail Server --> SMTP Client Options --> SASL security options: noplaintext, noanonymous
    • Default: noplaintext, noanonymous
    • Postfix SMTP client SASL security options
    • There is a bug with the GUI input field
  • smtp_tls_security_level
    • Webmin --> Postfix Mail Server --> SMTP Client Options --> SMTP TLS client security level: DANE TLS
    • Default: Opportunistic DANE TLS
    • No tooltip
    • The default SMTP TLS security level for the Postfix SMTP client.
    • The value presented to Postfix is "dane"
SMTP Authentication And Encryption
  • smtpd_sasl_auth_enable
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Require SASL SMTP authentication? Yes
    • Default: Yes
    • Enable SASL authentication in the Postfix SMTP server. By default, the Postfix SMTP server does not use authentication.
  • smtpd_tls_auth_only
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Disallow SASL authentication over insecure connections?: Yes
    • Default: No
    • When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections.
  • broken_sasl_auth_clients
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Handle non-compliant SMTP clients?: No
    • Default: Yes
    • No Tooltip
    • Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.
  • smtpd_sasl_security_options
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> SMTP security options --> Reject anonymous logins: ticked
      • Default: ticked
      • This adds the value: noanonymous
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> SMTP security options --> Reject plain-text logins: ticked
      • Default: unticked
      • This adds the value: noplaintext
    • No tootip
    • Restrict what authentication mechanisms the Postfix SMTP server will offer to the client. The list of available authentication mechanisms is system dependent.
    • Warning: it appears that clients try authentication methods in the order as advertised by the server (e.g. PLAIN ANONYMOUS CRAM-MD5) which means that if you disable plaintext passwords, clients will log in anonymously, even when they should be able to use CRAM-MD5. So, if you disable plaintext logins, disable anonymous logins too. Postfix treats anonymous login as no authentication
  • smtpd_recipient_restrictions
    • Dont use or change values here
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> SMTP recipient restrictions
    • Default ticked:
      • Allow connections from same network
      • Allow authenticated clients
      • Reject email to other domains
    • No tooltip
    • Alters same config as: Webmin --> Postfix Mail Server --> SMTP Server Options --> Restrictions on recipient addresses:
    • These are the option mappings from the GUI
      • Allow connections from same network = permit_mynetworks (smtpd_client_restrictions)
      • Allow connections from this system = permit_inet_interfaces (smtpd_client_restrictions)
      • Reject clients with no reverse hostname = reject_unknown_reverse_client_hostname (smtpd_client_restrictions)
      • Allow authenticated clients = permit_sasl_authenticated (smtpd_client_restrictions)
      • Reject email to other domains = reject_unauth_destination (smtpd_recipient_restrictions)
      • Allow only relay domains = check_relay_domains = removed (remove)
      • Allow domains this system is a backup MX for= permit_mx_backup = is going to be removed (remove)
        • not for single server setup
      • reported here Postfix - `permit_mx_backup ` and `check_relay_domains` should be removed · Issue #2150 · webmin/webmin · GitHub
  • smtpd_tls_security_level
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Enable TLS encryption?: If requested by client
    • Default: If requested by client
    • No tooltip
    • The SMTP TLS security level for the Postfix SMTP server.
      • none - TLS will not be used.
      • may (if requested by client) - Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. 
      • encrypt - Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers. 
  • smtp_sasl_auth_enable
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Use SASL SMTP authentication?: Yes
    • Default: No
    • No tooltip
    • Enable SASL authentication in the Postfix SMTP client. By default, the Postfix SMTP client uses no authentication.
  • smtpd_relay_restrictions
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> SMTP relay restrictions: 
      # Same as: Webmin --> Postfix Mail Server --> SMTP Server Options --> Restrictions on recipient addresses (smtpd_recipient_restrictions)
# These are not the same options as below because some options are not currently available in the GUI and need to be added directly into the config file

reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination
    • Via the GUI, select as follows (read above first):
      • Allow connections from same network: ticked
        • (permit_mynetworks)
        • wrong contect - should be in sm
      • Allow connections from this system: unticked
        • (permit_inet_interfaces)
      • Reject clients with no reverse hostname:ticked
        • (reject_unknown_reverse_client_hostname)
      • Allow authenticated clients: ticked
        • (permit_sasl_authenticated)
      • Reject email to other domains: ticked
        • (reject_unauth_destination)
      • Allow only relay domains: unticked
        • (check_relay_domains)
      • Allow domains this system is a backup MX for: unticked
        • (permit_mx_backup)
    • Default ticked:
      • Allow connections from same network
      • Allow authenticated clients
    • No tooltip
    • This has the same options as `smtpd_recipient_restrictions`.
    • Because of the rigid text boxes not all options can configured through the GUI.
    • The same restrictions are available as documented under smtpd_recipient_restrictions.
  • smtpd_delay_reject
    • Webmin --> Postfix Mail Server --> SMTP Authentication And Encryption --> Delay clients with failed logins?: Yes
    • Default: Yes
    • No tooltip
    • Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait until the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
    • This feature is turned on by default because some clients apparently mis-behave when the Postfix SMTP server rejects commands before RCPT TO.
    • The default setting has one major benefit: it allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
    • This allows the smtp conversation to continue until the point of actually receiving the message before it is rejected, and is useful because it allows full sender and recipient information to be logged. It is also a requirement for helo_restrictions.
SMTP Client Restrictions
  • smtpd_client_restrictions
    • Webmin --> Postfix Mail Server --> SMTP Client Restrictions --> Client restrictions:
      • Via Config: 
        # These are not the same options as below because some options are not currently available in the GUI and need to be added directly into the config file

permit_mynetworks, reject_unknown_client_hostname, permit_sasl_authenticated
      • Via GUI:
        • Allow connections from same network: ticked
          • (permit_mynetworks)
          • Permit the request when the client IP address matches any network or network address listed in $mynetworks.
          • You can specify the list of "trusted" network addresses by hand or you can let Postfix do it for you (which is the default). See the description of the mynetworks_style parameter for more information.
        • Allow connections from this system: unticked
          • (permit_inet_interfaces)
          • Allow connections from this system
          • Always allow email from the server to the server.
          • Permit the request when the client IP address matches $inet_interfaces.
          • I think this is useful if your server is connected to more that one network, i.e. multiple NICs.
        • Reject clients with no reverse hostname: ticked
          • (reject_unknown_reverse_client_hostname)
          • Reject clients with no reverse hostname
          • Reject the request when the client IP address has no address->name mapping.
          • This is weaker than reject_unknown_client_hostname 
        • Allow TLS clients with any certificate: unticked
          • (permit_tls_all_clientcerts)
        • Allow authenticated clients: ticked
          • (permit_sasl_authenticated)
          • Allow authenticated clients
        • Check client access map: empty
          • (check_client_access example.txt)
        • Reject if client IP address is in RBL: empty
          • (reject_rbl_client example-rbl.com)
        • Reject if client hostname is in RBL: empty
          • (reject_rhsbl_client example-rbl.com)
    • Default: empty
    • No tooltip
    • Optional restrictions that the Postfix SMTP server applies in the context of a client connection request
    • reject_unknown_client_hostname
      • You would replace reject_unknown_reverse_client_hostname with this for stonger protection.
      • Reject the request when
        • the client IP address->name mapping fails, or
        • the name->address mapping fails, or
        • the name->address mapping does not match the client IP address.
      • This is stronger than reject_unknown_reverse_client_hostname.
      • This can only be swapped by editing the config file because the GUI does not have the ability.

DoveCot (Email)

  • Only allow encrypted connections
    • Webmin --> Servers --> Dovecot IMAP/POP3 Server --> Networking and Protocols --> Accept SSL connections?: Only accept SSL
      • Default: Yes
    • Webmin --> Servers --> Dovecot IMAP/POP3 Server --> SSL Configuration --> Disallow plaintext authentication in non-SSL mode?: Yes
      • Default: No
  • Strong Encryption
  • Save email with CRLF line endings?  / Windows new line support?
    • Webmin --> Servers --> Dovecot IMAP/POP3 Server --> Mail Files --> Save email with CRLF line endings? Yes
    • Default: Default (No)
    • I have not tried this to see what real difference it makes and while is Dovecot making changes to the file.
    • mail_save_crlf - Dovecot Core Settings — Dovecot documentation
    • Enabling this makes saving messages less CPU-intensive, especially with the sendfile() system call used in Linux and FreeBSD. However, enabling comes at the cost of slightly increased disk I/O, which could decrease the speed in some deployments.

ClamAV (SPAM)

nothing to change

SpamAssassin (SPAM)

The options you choose here depend and how you want the SPAM to be controlled, by you or by the individual virtual server owners. I prefer to control the SPAM at the server level as people don't want SPAM and I would only need to control it on one place. I have highlighted my choices green.

  • where do i setup RBLs etc.. for SpamAssassin ?
  • How does the different lcoations of spamassassin work? heirarchical, override, combine point scores etc.... run  checks with EICAR to find out.
  • Double check these setting are to my liking
Basic Settings
  • Set maximum message size to process
    • Virtualmin Global: Virtualmin --> Email Settings --> Spam and Virus Scanning --> Maximum message size to process: unlimited
    • Antivirus configuration - #3 by ID10T - Virtualmin - Virtualmin Community
      • I had a problem with spam completely bypassing filtering. It turns out that 500KB size limit was coming into play. From looking at the configuration page it isn’t 100% clear to me if spam and virus filtering are both affected by the single setting.
    • You can check the config file /etc/spamassassin/local.cf and the following will be commented out for unlimited email size.
      • body_part_scan_size
      • rawbody_part_scan_size
  • Allow DNS lookups
Filters Configuration

This is where we will configure the rules on which SpamAssassin works with. These can change from setup to setup and why they have their own section.

  • Class emails as SPAM if they fail SPF check
    • Webmin Global: Webmin --> SpamAssassin Mail Filter --> Header and Body Tests --> Switch to advanced mode --> SpamAssassin test scores: SPF_FAIL = 10.00
    • Virtual Server: Virtualmin --> Mail Options --> SpamAssassin Configuration --> Header and Body Tests --> Switch to advanced mode --> SpamAssassin test scores: SPF_FAIL = 10.00
      • This might not be available and depeneds on your Virtualmin configuration set during the POST-Installation wizard.
    • Virtualmin check SPF records? - Virtualmin - Virtualmin Community
      • the default scores are in /usr/share/spamassassin/50_scores.cf
      • Add these 'SpamAssassin test scores' or what you want to assign, maybe just SPF_FAIL = 10.00 (which works for me on cPanel)
        • SPF_FAIL = 10.00
        • SPF_SOFTFAIL = 5.00
        • SPF_HELO_FAIL = 5.00
  • Automatically delete SPAM
    • Webmin Global:
      • Webmin --> Servers --> SpamAssassin Mail Filter --> Procmail Spam Deilvery --> Action for messages classified as spam: Throw away
    • Virtualmin Global:
      • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Spam filtering options --> Default delivery for spam: Delete
      • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Spam filtering options --> Default delivery for viruses: Delete
    • Virtual Server:
      • Virtualmin --> Mail Options --> Spam and Virus Delivery --> Destination for spam emails: Throw away
      • Virtualmin --> Mail Options --> Spam and Virus Delivery --> Destination for virus emails: Throw away
      • Virtualmin --> Mail Options --> SpamAssassin Configuration --> Procmail Spam Deilvery --> Action for messages classified as spam: Throw away
    • Usermin
      • Usermin --> Mail --> SpamAssassin Mail Filter --> option not present, might be permissions

Razor Spam Detector (SPAM / SpamAssassin)

I need to install this and use it before adding settings here.

Pyzor Client (SPAM / SpamAssassin)

I need to install this and use it before adding settings here.

DCC Client (SPAM / SpamAssassin)

I need to install this and use it before adding settings here.

SPF (Email)

SPF: HELO does not publish an SPF Record (SPF_HELO_NONE)

This SPF failure does not add many points onto your SPAM score but with it you will not get 100%. In the future this failure could have more of an impact and because it is so easy to fix it, you should.

The Error

SPF_HELO_NONE        SPF: HELO does not publish an SPF Record

Testing

Cause

Your server does not have a SPF record in it's DNS Zone. Your server's hostname is use in the sending and receiving of email and this is a test that is done to check the server is valid.

Solutions

  • Via Virtualmin (preferred method)
    • This assumes you have your server's virtual server visible
      • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Create host default domain with Let's Encrypt certificate
    • Virtualmin --> DNS Settings --> DNS Options
      • SPF record enabled: Yes
      • Action for other senders: Disallow
      • Allowed sender hostnames: Remove the hostname/domain
      • Save
    • The record you have created will work but currently the SPF builder is not very controllable. You should edit the record your record to make it look like Standard SPF Record (Improved) shown below when Virtualmin improves this page or you can use the Webmin option below because the mx entry will cause a SPF failure as there should be no mail server on the server's hostname thus no mx entry ever.
      • Virtualmin --> DNS Settings --> DNS Record --> Manually Edit Records
  • Via Webmin
    • Webmin --> Servers --> BIND DNS Server --> Existing DNS Zones --> your server hostname (eg server.example.com) --> Edit Zone Records File
    • Add a suitable SPF record, the IP and domain should be your server's IP and hostname. You can always copy a SPF record from one of your live domains. 
      # Standard SPF Record
server.example.com.	IN	TXT	"v=spf1 a mx a:server.example.com ip4:31.31.31.31 -all"

# Standard SPF Record (Improved)
server.example.com.	IN	TXT	"v=spf1 ip4:31.31.31.31 -all"
    • NB:
      • Ignore the warning about this being controlled by Virtualmin.
      • Be careful with what you alter here.
      • Make a backup up of the zone before you do anything.
      • This record potentially could get removed with updates in the future.
      • If your local IP is present in the SPF record you should delete this as it is not needed and can be a security risk. 
        ip4:10.0.0.23

DKIM (Email)

Greylisting (Email)

  • Virtualmin --> Email Settings --> Email Greylisting --> Enable Greylisting
  • Edit `Whitelisted Clients` and `Whitelisted recipients`
    • Virtualmin --> Email Settings --> Email Greylisting
    • The default `Whitelisted Clients` list is very old and possibly should be purged. I don't know if this is is a virtualmin or a greylisting issue.
    • The postmaster@ and abuse@ are prefilled on the `Whitelisted recipients`, should these be remove aswell?
  • Information
    • Greylist is a technique to reduce spam by initially rejecting email the first time another mail server tries to contact your server. Real mail servers will re-try after a short delay, but those operated by spammers typically will not. Thus legitimate email still gets delivered, but spam does not.
    • In addition, whitelists for SMTP servers and email recipents can be managed.
    • This uses the Postgrey package.
    • Greylisting can cause a delay to emails getting delivered to your mailbox, becasue this is how it works, it waits for the remote server to re-send the email to make sure this email is legit.
    • The default Postfix settings will usually  allow a retry every 5 minutes.
    • The resend timer on Postfix is controlled here: Webmin --> Servers --> Postfix Mail Server --> Delivery rates

Virtualmin (Email)

  • Mail Rate Limiting
    • Virtualmin --> System Settings --> Email Settings --> Mail Rate Limiting --> Rate limiting enabled?: Yes
    • Virtualmin --> System Settings --> Email Settings --> Mail Rate Limiting --> Global message limit:  50 per hour
      • This will apply per virtual server and is not one total value for the whole server.
    • This prevents you server from spamming the world if a domain becomes compromised.
    • You can override this for particular domains if they have greater need without risking the rest of the server.
    • I think this uses the Greylist MFilter server to handle the rates.
  • Mail Client Configuration (optional)
    • Virtualmin --> Email Rate Limiting --> Mail Client Configuration --> Enable mail client autoconfiguration?: Yes
    • This option will create an Autoconfiguration file for email clients in the location of: 
      http(s)://example.com/mail/config-v1.1.xml
    • The information to build the XML is pulled from
      • Virtualmin --> System Settings --> Server Templates --> yourtemplate --> Edit tempalte section: Mail client auto-configuration
    • Links
  • Configure Webmin email communication settings
    • Webmin --> Webmin Configuration --> Sending Email
      • Via SMTP to local mail server
      • Use encryption for SMTP?: Always use TLS
        • Switch with STARTTLS should be used if you get communication issues only.

Test Email system (Email)

  • Send a test email from Webmin
    • Webmin --> Webmin Configuration --> Sending Email --> Send Email
      • The email will be from e.g. webmin@server.example.com
      • Make sure you have this email address whitelisted to gurantee delivery

Theme

These are all per user as there are no global theme defaults except for a couple of options (Login page color palette, Forbid access to theme config for users).

  • Set Dark Mode
    • Theme Configuration --> Configuration category: General defaults --> Login page color palette: Dark
    • Click on the Day/Night button to enable dark mode.
    • Each user has to choose to use Dark mode by clickling on the 'Day/night mode toggle' button
  • Make icons coloured
    • Theme Configuration --> Configuration category:  Table display --> Show table icon links in gray scale unless hovered: No
  • Add animations on hover
    • Theme Configuration --> Configuration category:  Table display --> Show on-hover animation for table icon links: Yes
  • Prevent users changing the theme
    • Theme Configuration --> Configuration category: General defaults --> Forbid access to theme config for users: Yes
    • Theme Configuration --> Configuration category: Navigation menu --> Show Day/Night mode button: No
      • this option is not pushed to all users
  • Add 'Administrator' tag to the menu
    • Useful for knowing you are logged in with an admin account.
    • Theme Configuration --> Configuration category: Navigation menu --> Show HTML snippet: <code>Administrator</code>
    • Theme Configuration --> Configuration category: Navigation menu --> Show HTML snippet for administrators only: Yes
  • Add a seperator between the "Virtual Server" and "Global" options (optional)
    If the code below does not work it might be a line ending issue or tabs converted to spaces, but easily fixed.

    • Add the code as follows
      • Theme Configuration --> Theme Extensions Edit extension file: /etc/webmin/authentic-theme/styles.css 
        /** Split Virtual Server and Global menu sections - v1.0 **/

/* Default/Day Mode - Section Separator */
#customSectionSeparator {
	width: 50%;
	margin-left: 25%;
	border-top: 2px solid #f5f0fffa !important;
	margin-top: 30px !important;
	padding-top: 30px !important;
}

/* Dark Mode - Section Separator */
html[data-theme="gunmetal"] #customSectionSeparator {
	border-top: 2px solid #00000054 !important;
}

/* Default/Day Mode - Search Box - Full border */
#webmin_search_form > div.form-group .form-control.sidebar-search {
	border: 1px solid #ffffff29 !important;
}

/* Dark Mode - Search Box - Full border */
html[data-theme="gunmetal"] #customSectionSeparator {
	border-top: 2px solid #ffffff1f !important;
}
      • Theme Configuration --> Theme Extensions Edit extension file: /etc/webmin/authentic-theme/scripts.js 
        /** Split Virtual Server and Global menu sections - v1.0 **/

// Add in a div to allow correct sizing of Section Separator
function addCustomSectionSeparator()
{
	// Only add the Section Seperator if it does not exist and the Virtualmin menu is present
	if (document.getElementById("customSectionSeparator") == null && $(document.getElementsByName("dom")).is(":visible"))
	{
		// Get the container
		var container = document.getElementById("webmin_search_form").parentElement;

		// Build the code
		var myCreatedElement = document.createElement("div");
		myCreatedElement.setAttribute("id","customSectionSeparator");

		// Insert the code
		container.insertBefore(myCreatedElement, container.firstChild);        
	}
};

// Add Section Separator on initial page load (remember Virtualmin is a single page system)
$(document).ready(function()
{
	addCustomSectionSeparator();
});

// Add Section Separator on page changes (remember Virtualmin is a single page system)
$(document).change(function()
{	
	setTimeout(addCustomSectionSeparator, 500);
});

Security

  • Some of these might require the editing of Account plans or server templates. I might move them if required.
  • Only if you knoiw what you are doing, you can use ConfigServer Security & Firewall (csf + lfd) instead of FirewallD and Fail2Ban.
  • Enable FirewallD
    • Webmin --> Networking --> FirewallD
  • Enable Fail2Ban
    • Webmin --> Networking --> Fail2Ban
  • Force HTTP to HTTPS (optional)
    • Virtualmin --> Web Configuration --> Website Options --> Redirect all requests to SSL site: Yes
    • This is normally done with your CMS or by you in .htaccess.
    • What this does
      • This creates an Apache Directive to perfom the redirect as follows in /etc/apache2/sites-available/example.com.conf: 
        RewriteCond %{HTTPS} off
RewriteRule ^/(?!.well-known)(.*)$ https://%{HTTP_HOST}/$1 [R]
      • This appears as a redirect in: Virtualmin --> Web Configuration --> Website Redirects
      • How to manage URL redirects – Virtualmin - This tutorial will cover how to setup URL redirects. A URL redirect allows you to make one URL redirect to another of your choice.
  • Force FTP to only use FTPS/TLS.
    • This is not yet available as a GUI option
    • Edit the config file: Webmin -->Servers --> ProFTPD Server --> Edit Config Files --> Editing config file: /etc/proftpd/conf.d/virtualmin.conf:
    • Enforce TLS  by changing: 
      TLSRequired off --> TLSRequired on
    • Save the config.
    • Apply the changes (this will restart the ProFTPD service).
  • Disable SSH access from users
    • The `SSH Login` is not enabled by default in `Administrator's Webmin modules` and thus should not be on.
    • You can check here: Virtualmin --> Manage Virtual Server --> Edit Owner Limits --> Other restrictions --> Allowed login type
  • Remove terminal from users
    • The `Terminal` is not enabled by default in `Administrator's Webmin modules` and thus should not be on.
    • Currently there is no way to changes this after create the Virtual Server.
    • Disable the option in the relevant server template, or the default server template.
  • Disable 'Syncing your SQL and hosting account' (optional)
    • If someone comprimises your CMS they can get your account usename and password.
    • This is only dangerous if you use the credentials in a web application where the details could be retrieved.
  • Disable Webmin root account.
  • Remove the root account from SSH.
  • Disable Usermin (optional)
  • Restrict access to Webmin by IP or Hostnames.
    • Webmin --> Webmin Configuration --> IP Access Control --> Allowed IP addresses:
  • Restrict access to Usermin by IP or Hostnames (or Disable Usermin).
    • Webmin --> Usermin Configuration --> IP Access Control --> Allowed IP addresses:
  • Increase password strength requirements
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Defaults for new domains --> Length of randomly generated password: 20
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: Defaults for new domains --> Characters for random passwords: 
      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
    • Webmin --> System --> Users and Groups --> Settings Cog --> Configuration category: Password restrictions --> Minimum password length
    • Webmin --> System --> Users and Groups --> Settings Cog --> Configuration category: Password restrictions --> Perl regexp to check password against
  • Webmin Authentication
    • We need to set some limits for authentication to prevent brute force attacks and other misuse.
    • Webmin --> Webmin configuration --> Authentication --> Password timeouts: Enabled
      • When Enable password timeouts is selected, Webmin will detect multiple failed login attempts from the same IP address and lock that host out for a configurable amount of time. This feature should always be turned on, as it stops attackers using millions of login attempts to guess passwords on your system.
      • Password timeouts and expiry - Need these options clarifying - Webmin - Virtualmin Community
        • I’ll add a tooltip with details on what password timeouts mean, but basically when this is enabled there will be an increasing delay between failed login attempts.
        • There’s no way to configured the password timeout delays … they are fixed in Webmin
    • Webmin --> Webmin configuration --> Authentication --> Failed login blocks:
      • Block hosts with more than 5 failed logins for 3600 seconds.
        • hosts in this context means IP addresses
      • Block users with more than 5 failed logins for 3600 seconds.
        • This is referring to Webmin users and not Unix user acconts.
      • Also lock users with failed logins: unticked
        • Locked accounts will not become active again withou manual intervention so this shoul donly be enabled when required.
    • Webmin --> Webmin configuration --> Authentication --> Authentication Options:
      • Auto-logout after: 60 minutes of inactivity
        • If you have client's it is best to enable this option, if there is just you and your admin is not exposed on the internet you can ignore this one.
      • Offer to remember login permanently?
        • If you have client's it is best to disable this option, if it is just you it can be left enabled
        • When selected, the cookie sent to the user’s browser will be marked to indicate that it should be saved even if the browser is shut down and re-run later.

Further Settings

If you are unsure about any settings, do not change them.

Virtualmin

  • Put your holding page files in your skeleton directory /etc/skel
  • Virtualmin --> Virtualmin Configuration --> Configuration category: SSL settings --> Show Let's Encrypt error at domain creation time?
    • This will notify you of any errors and can be very useful.
  • Configure the Columns to show on 'List Virtual Servers' page
    • Virtualmin --> Virtualmin Configuration --> Configuration category: User interface settings --> (Columns to show && Feature columns to show)
    • Configure as shown below for a good start.
  • Go through the unused modules and add any that you need.
  • Go through the rest of the Virtualmin --> Virtualmin Configuration

Virtualmin Pro

There might be some Pro only options that need configuring. I will update this section when I start using Pro.

Webmin

  • Configure the System Time (System Clock)
    • Install the required binaries using the terminal
      apt-get install ntpdate
      Otherwise you will get this error 
      NTP time synchronization failed : Missing ntpdate and sntp commands
    • Webmin --> Hardware --> System Time --> Change timezone --> Change timezone to: your local timezone
    • Webmin --> Hardware --> System Time --> Time server sync

      • Configure the settings as shown above.
      • You can set your own preferred NTP server if you want.
      • Set hardware time too
        • This is fine for Virtual machines (i.e. KVM Guests) because KVM provides guest virtual machines with a paravirtualized clock (kvm-clock).
      • The minutes and hours are initially randomly selected and you can use those times if you want.
      • NB: To de-select or multi-select, use the Ctrl button while clicking.
  • Go through the rest of the Webmin --> Webmin Configuration
    • You should not need to touch anything here
  • Enable Bandwidth Monitor (optional)
    • Webmin --> Networking --> Bandwidth Monitoring
    • Bandwidth Monitoring | Webmin - The Bandwidth Monitoring module can be used to create simple reports on bandwidth usage by port, host, protocol and time for traffic sent from or routed through your system. It is useful for both stand-alone hosts, and those that act as a gateway (possibly with NAT) for a network. Before it can be used, the module must setup several firewall rules and a syslog entry to capture traffic sent and received via your system.
    • This is not required for 'Bandwidth Quotas'
    • Useful to track how active websites are over time and this will show you traffic per ports.

WAF / Firewalls / IDS / IPS

You should consider if the default FirewallD + fail2ban does what you want. If you don't know just leave the settings as they are.

Jails

I don't know how to configure these or how to use them, this section is a placeholder if this changes.

Set your NAT Static IP / Finalise your IP address

  • If you are using Virtualmin behind a NAT, you should set your permanent local Static IP now.
  • You can always easily update DNS records later but why do things twice. In fact Virtualmin will notice the change ans ask you to make the change.
  • When you change from DHCP make sure you set your Gateway and DNS servers on the network card, via Webmin otherwise you will get connectivity issues that will difference from the internal and external networks to your server aswell as Virtualmin will not be able to perform outward connections. When you are on DHCP you are supplied with the Gateway and DNS server settings automatically.
    • Webmin --> Networking --> Network Configuration --> Routing and Gateways --> Default router --> Gateway:
    • Webmin --> Networking --> Network Configuration --> Hostname and DNS Client --> DNS servers: 127.0.0.53 + your DNS server
  • When you reload Webmin after changing IP address you will be presented with this message and you should use the link to changes the IPs as advised.
    • The controlpanel host address was not changed with this tool.
      • Webmin --> Networking --> Network Configuraiton --> Host Addresses --> <10.0.0.137/web.svchost.uk , web> --> IP Address:
      • Still showing 10.0.0.253, so i changed it to --> 10.0.0.44
  • Configure your firewall to forward port as required (and using any security polices you have in place).

Backup Strategy

  • Configure a backup strategy.
    • to be added later
  • how do i backup the whole server
  • how do i backup webmin and virtualmin settings. are these the same as the /etc/

etckeeper

I am using Ubuntu LTS 22.04 and etckeeper is install, you need to check if it is install on your OS automatically, if not you should ocnsider doing it manually.

  • Virtualmin installs this by default on systems that have a etckeeper package availavble that can set itself up automatically.
  • This is not a substitute for backups, but it does allow you to see exactly what changes you made, which might help you fix things if you make a mistake that breaks something and you don’t remember what you changed to get there.
  • etckeeper allows the contents of /etc to be stored in a Version Control System (VCS) repository. It integrates with APT and automatically commits changes to /etc when packages are installed or upgraded.
  • The location for the GIT repo in Virtualmin is: /etc/.git/
  • etckeeper also sets up a daily cron job.
  • The changes in /etc files are stored in the GIT repository that was created, forever.

Create your Primary Hosting account (example.com)

Account Creation

  • Create a Virtual Server with your primary domain
    • Virtualmin --> Create Virtual Server
    • Use the domain selected by you in the preperation stage.
    • With an email dedicated for the system to use to send notifications, e.g. no-reply@example.com.
      • On some configurations a dedicated email address might be required, but not always.

User Settings

  • Remove SSH from the account owner
    • Virtualmin --> Manage Virtual Server --> Edit Owner Limits --> Other Restrictions --> Allowed login type: Email and FTP
  • Disable any email on the primary account (optional)
    • Virtualmin --> Edit Users --> <username> --> Email Settings --> Primary email address enabled: No
    • Virtualmin --> Edit Users --> <username> --> Email Settings --> Additional email addresses: <remove any found here>
  • Add an email addresse(s) to the domain
    • Virtualmin --> Edit Users --> Add a website FTP access user
    • Configure the email address and password.
    • Other user permissions --> Login permission: Email only
      • This ensures this user is just an email account.
    • Set any other option that you need, but this is enough.

Domain Settings

  • Create nameservers (NS entries)
    • Virtualmin currently does not allow you to use nameservers that do not already exist and you cannot automatically create custom nameservers.
    • DNS Frequently Asked Questions – Virtualmin
      • Virtualmin --> DNS settings -- DNS Records --> Create Record of Type: NS Name Server
        • Record name: same as domain
        • Record type: NS - Name Server
        • Cache time: Domain default
        • Name server DNS name: ns1
        • Record Comment: leave blank
        • Repeat for ns2
      • Virtualmin --> DNS settings -- DNS Records --> Create Record of Type: A - IPv4 Address
        • Record name: same as domain
        • Record type: A - IPv4 address
        • Cache time: Domain default
        • IPv4 address: your external ip
        • Record Comment: leave blank
        • Repeat for ns2
  • Lets Encrypt SSL Certificate
    • Virtualmin --> Manage Virtual Server --> Setup SSL Certificate
    • If your domain is not pointing to your Virtualmin server, then a Lets Encrypt Certificate will not be requested and it will have to be done manually later.
    • How to add an SSL certificate – Virtualmin - These instructions will tell you what fields to fill in, if not already.
  • Set the Default website for IP address / Shared SSL / Default Domain
    • Virtualmin --> Web Configurtation --> Website Options --> Default website for IP address: Yes
    • Tooltip: When this field is set to Yes, this virtual server's website will be served by Apache when it receives a request that doesn't match any other virtual server on the system. This typically happens if a user uses a URL with an IP address in it, or a hostname that resolves to your system but does not match any Virtualmin domain.
    • You might see one of the following variants of the option depending which domain is selected as the default website:
       
  • Configure DNSSEC (optional)
    • This is an important technology and prevents your domain from getting spoofed.
    • DNSSEC should of been enabled by your 'Internal' template, but if not, go here and enable it.
      • Virtualmin --> DNS Options --> DNSSEC signature enabled: Yes
      • Click 'Save'
    • Automatic Key Re-Signing
      • Webmin --> Servers --> BIND DNS Server --> DNSSEC Key Re-Signing --> Automatic key re-signing enabled?: Yes
      • If you do not enable this, your DNSSEC keys will expire and give you one or both of these errors (The following zones have expired DNSSEC signatures):ggggg

    • Goto Virtualmin --> DNS Options --> DNSSEC zone keys --> DS records for registrar
      • You will see something similiar to the image below. I have annotated the image as it was tricky figuring out which number did what.
    • Now you have the relevant information, you need to enter it at your registrar

      • In this example you can see the numbers in parenthesis which is the same as the numbers in your DS records for registrar.
      • Your registrar will probably have a form similiar to this as long as they support DNSSEC, not all do.
      • DNSSEC Guide — BIND 9 9.19.19-dev documentation
        • This document provides introductory information on how DNSSEC works, how to configure BIND 9 to support some common DNSSEC features, and some basic troubleshooting tips.
        • This is well written and easy to read. I found it very helpful.
  • Enable TLSA records
    • Virtualmin --> DNS Settings --> DNS Options --> TLSA records enabled: Yes
    • Currently you cannot set this as an option in the Server Template so it has to be enabled manually.
  • Configure the SPF 'Fail Qualifier'
    • The server template does not handle SPF records creation properly so we have to set the 'Fail Qualifier' manually.
    • Virtualmin --> DNS Settings --> DNS Options --> Action for other senders: Disallow
      • <default> = none
      • Disallow = -all
      • Discourage = ~all
      • Neutral = ?all
      • Allow = all
  • Add Website Aliases
    • Do you have several versions of the domain names (eg example.com, example.co.uk, example.uk) that you want to point to the same website? You can add them now.
    • Virtualmin --> Create Virtual Server --> Alias of example.com

Install Serverwide Apps

Create One location for the Apps

Now you have created your primary hosting account I would install your single copy of phpMyAdmin. further details instructions can be found in the 'Serverwide Apps' section above, however the instructions below will work for everyone.

  • Create a directory ~/public_html/apps/ on your primary domain which will look like https://www.example.com/apps/
  • Restrict access to the /apps/ folder
    • I recommmend this restricting access.
    • It would be better if Apps were hidden away like cPanel. Edit as required.
    • create a .htaccess using the content below. 
      # DISABLE DIRECTORY INDEXES
Options -Indexes

# RESTRICT ACCESS TO DIRECTORY BY IP ADDRESS
# Include in .htaccess of any directory
<RequireAny>
    Require all denied
    #Require ip 1.2.3.4
    #Require ip 5.6.7.8/12
    
    # If local server access to the directory is required
    # add the following; include the server IP addresses (IPv4 & IPv6)
    Require local
    #Require ip 192.168.1.0/24
    #Require ip 2001:0db8:85a3:0000:0000:8a2e:0370:7334
</RequireAny>

Install phpMyAdmin Centrally

  • Create a separate database with its own user
  • Install using the Virtualmin Install Script, using the database you just created, to following location www.example.com/apps/phpmyadmin/
  • Change the database user if required.
  • Adding a Virtualmin Dashboard Menu Item using the GPL Theme based solution
    • Theme Configuration --> Configuration category: Navigation menu --> Extra entries 
      {
    "extra": [{
        "title": "phpMyAdmin",
        "link": "https://www.example.com/app/phpmyadmin",
        "icon": "php",
        "level": "0",
        "target": "_blank"
    }]
}
      • This menu item will be visible for administrators only, but can be changed.
      • Don't forget to change the link to match your primary domain name or other target.
      • or further information and methods see the Custom Menu Links section.
      • Currently the field will not except this format and needs to be flattened. 
        {"extra":[{"title":"phpMyAdmin","link":"https://www.example.com/app/phpmyadmin","icon":"php","level":"0","target":"_blank"}]}

Other Centralised Apps

If you have any other apps that shoul dbe centralised follow the procedure outlined above.

  • Roundcube
    • I am not sure if Usermin is better instead of Roundcude
    • the Usermin dynamic from webmail.example.com can be changed to the rouncube directory

Final Things

  • Enable a real SSL certificate from Let's Encrypt for your Virtualmin hostname (eg server.example.com)
    • Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL settings --> Create host default domain with Let's Encrypt certificate: Yes
    • Virtualmin --> System Settings --> Re-Check Configuration
  • Get Virtualmin to check various settings and configurations. This also runs some housekeeping tasks.
    • Virtualmin --> System Settings --> Re-Check Configuration
  • Check Webmin can "still" send emails
    • Webmin --> Webmin Configuration --> Sending Email --> Send Email
  • Enable automatic software package updates
    • Webmin --> System --> Software Package Updates --> Scheduled Upgrades
      • Mission Critical Servers
        • Check for updates on schedule?: Yes, every day
        • Email updates report to: enter your email address
        • Action when update needed: Just notify for security updates
      • Not bothered about servers
        • Check for updates on schedule?: Yes, every day
        • Email updates report to: none
        • Action when update needed: Install security updates / Install any updates
    • Automatic/Scheduled Software Package Updates - are they recommended? - Virtualmin - Virtualmin Community
      • Depends on how often you’re in the system. Ideally, you’d pay attention when updates are installed, as updates can break things (though they rarely do). I use automatic updates on systems that I won’t be logging into often, but I usually use the system-provided automatic updates tool rather than the one in Webmin (you can just install unattended-upgrades on Debian/Ubuntu, for example: UnattendedUpgrades - Debian Wiki 1 or dnf-automatic on RHEL and derivatives: Chapter 7. Automating software updates in RHEL 9 Red Hat Enterprise Linux 9 | Red Hat Customer Portal).
      • For systems I am logging into regularly, or that are critical, I run the updates manually, and I make sure I pay attention to security-related updates for packages I’m using, so that I intentionally visit all my non-automatically updating systems to update when major issues arise.
      • In short: If you will make it a practice to become aware of security updates (subscribe to the necessary mailing list(s) for your OS, for instance), then the safest option is to upgrade manually, watch the log of packages to make sure there are no errors, and test immediately after upgrades to be sure everything is happy. But, because it is very dangerous to run unpatched systems, automatic updates are the better choice if you won’t be proactive about updates and becoming aware of security issues in the wild when they come up.
      • Daily updates is reasonable.

Branding (optional)

Styling your Virtualmin installation can be useful for identifying your dev and live sites

  • Add a logo to the login page
    • Theme Configuration --> Theme Logos
  • Style the Theme Background
    • Theme Configuration --> Theme Backgrounds
  • Show real hostname instead of name from URL? (optional)
    • Webmin --> Webmin Configuration --> Authentication --> Show real hostname instead of name from URL?
    • This is useful for identifying live and dev servers when you are not using the system hostname to login for admin purposes.
  • Webmin --> Webmin Configuration --> Authentication --> Pre-login banner
    • I have not used this

Done!!!

  • Install your Client websites.

 

 

 

 

Read 927 times Last modified on Saturday, 11 May 2024 10:30
Published in Web Server
back to top