Author Topic: Securing RoundCube installation (Read 7456 times)

michalp · « **on:** September 30, 2010, 01:58:16 PM »

Hi,

I'm new here, so HELLO EVERYBODY:)

I have Apache2 + PHP (hardened with Suhoshin) on Ubuntu 10.04 LTS
I've just installed RoundCube Webmail 0.4.1

The configuration is:
1) Apache2:

DocumentRoot /var/www

Options FollowSymLinks
AllowOverride None

Options FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all

RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
RewriteLogLevel 2

2) Roundcube is unpacked into /var/www, all files and directories chowned to roundcube:roundcube (roundcube is non-shell user), temp and logs directories chowned to www-data:www-data

3) Disabled some insecure functions in php.ini, configured open_basedir = /var/www, disabled allow_url_fopen

4) I have .htaccess files preventing access to config, logs, temp directories.
I'm using some plugins, I created .htaccess files preventing access to config.inc.php for all plugins I use.

5) In password plugin access to config.inc.php (with DSN to pgsql) is roundcube:www-data (640).

My question is simple, what more can I do to secure better my installation of Roundcube ? Can you guys post some advice here for new RoundCube administrator:)?

Thanks in advance

Michael

SKaero · « **Reply #1 on:** September 30, 2010, 02:27:20 PM »

RoundCube is inherently secure, RoundCube is just a client so it doesn't really have to much that to secure. As long as you keep RoundCube updated you shouldn't have any problems.

michalp · « **Reply #2 on:** September 30, 2010, 03:33:37 PM »

Thank you for your reply Skaero:)

I don't agree at all with you that its just client, as long as it executes some PHP scripts on server side, it needs to be secured by webadmins.

Anyway by keeping RoundCube updated you mean being current with stable branch (for now 0.4.1)?

Michael

SKaero · « **Reply #3 on:** September 30, 2010, 11:15:25 PM »

Well that is true but RoundCube has the same access as WordPress or Joomla, as long as you have a secure web server you should have any problems. Keeping up with the stable branch witch is currently 0.4.1 is just fine.

michalp · « **Reply #4 on:** October 01, 2010, 03:26:58 AM »

That's why I asked other Apache2/PHP admins what can I do more:)

I use my own server, not hosting one. I just wanted to know if apache virtualhost and PHP configurations are OK:)

Thanks anyway for reply:)

Michael

bagu · « **Reply #5 on:** October 01, 2010, 06:33:57 AM »

So, you'd better ask this on a Apache/PHP help forum.
Why do you ask on Roundcube forum how to secure your server ?

Roundcube is secure as long as you keep it up to date.

michalp · « **Reply #6 on:** October 01, 2010, 07:07:11 AM »

Because I'm installing RoundCube... That's why I ask here...

Michael