Text only | Text with Images

Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: michalp on September 30, 2010, 01:58:16 PM

Title: Securing RoundCube installation
Post by: michalp on September 30, 2010, 01:58:16 PM
Hi,

I'm new here, so HELLO EVERYBODY:)

I have Apache2 + PHP (hardened with Suhoshin) on Ubuntu 10.04 LTS
I've just installed RoundCube Webmail 0.4.1

The configuration is:
1) Apache2:

 DocumentRoot /var/www
       
                Options FollowSymLinks
                AllowOverride None
       
       
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order Allow,Deny
                Allow from all
       


                RewriteEngine On
                RewriteCond %{SERVER_PORT} ^80$
                RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
                RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
                RewriteLogLevel 2


2) Roundcube is unpacked into /var/www, all files and directories chowned to roundcube:roundcube (roundcube is non-shell user), temp and logs directories chowned to www-data:www-data

3) Disabled some insecure functions in php.ini, configured open_basedir = /var/www, disabled allow_url_fopen

4) I have .htaccess files preventing access to config, logs, temp directories.
I'm using some plugins, I created .htaccess files preventing access to config.inc.php for all plugins I use.

5) In password plugin access to config.inc.php (with DSN to pgsql) is roundcube:www-data (640).

My question is simple, what more can I do to secure better my installation of Roundcube ? Can you guys post some advice here for new RoundCube administrator:)?


Thanks in advance

Michael
Title: Securing RoundCube installation
Post by: SKaero on September 30, 2010, 02:27:20 PM
RoundCube is inherently secure, RoundCube is just a client so it doesn't really have to much that to secure. As long as you keep RoundCube updated you shouldn't have any problems.
Title: Securing RoundCube installation
Post by: michalp on September 30, 2010, 03:33:37 PM
Thank you for your reply Skaero:)

I don't agree at all with you that its just client, as long as it executes some PHP scripts on server side, it needs to be secured by webadmins.

Anyway by keeping RoundCube updated you mean being current with stable branch (for now 0.4.1)?


Michael
Title: Securing RoundCube installation
Post by: SKaero on September 30, 2010, 11:15:25 PM
Well that is true but RoundCube has the same access as WordPress or Joomla, as long as you have a secure web server you should have any problems. Keeping up with the stable branch witch is currently 0.4.1 is just fine.
Title: :)
Post by: michalp on October 01, 2010, 03:26:58 AM
That's why I asked other Apache2/PHP admins what can I do more:)

I use my own server, not hosting one. I just wanted to know if apache virtualhost and PHP configurations are OK:)


Thanks anyway for reply:)

Michael
Title: Securing RoundCube installation
Post by: bagu on October 01, 2010, 06:33:57 AM
So, you'd better ask this on a Apache/PHP help forum.
Why do you ask on Roundcube forum how to secure your server ?

Roundcube is secure as long as you keep it up to date.
Title: Securing RoundCube installation
Post by: michalp on October 01, 2010, 07:07:11 AM
Because I'm installing RoundCube... That's why I ask here...

Michael
Text only | Text with Images