Roundcube Community Forum

 

Securing Roundcube 0.3.1

Started by guidobras, February 09, 2010, 11:58:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

guidobras

February 09, 2010, 11:58:01 AM
Hi,
I've installed v 0.3.1 and assigned ownership of every file/dir to apache (chmod -R apache:apache roundcube). Is it correct?

Then, as recommended in installation instructions, I checked that access through webserver to the following directories is denied (via .htaccess):
    * /config
    * /temp
    * /logs

Should I do other actions to secure the installation?
Are there any security best practices?

Thanks
Guido

Julius Caesar

#2
February 12, 2010, 08:26:43 AM
You've secured the right directories. Besides that, you could also use a SSL-certificate on your web server for your roundcube website.
Julius Caesar

You can download the Groupvice4 theme here.
Sie können Groupvice4 hier he

firewing1

#3
February 16, 2010, 07:27:41 PM
You should also consider setting up a fail2ban jail for your imap server software as well as Round Cube. Setting it up just for the imap software isn't enough since roundcubemail is most probably installed on the same server as the imap server, and fail2ban will never lock out localhost.

There have been a few posts that you can search for with Google that detail how to set this up and get the filters working so that fail2ban parses the Round Cube logs and bans the corresponding remote IP instead of localhost.
Print
Go Up Pages1
User actions