Roundcube Community Forum

 

Securing RoundCube installation

Started by michalp, September 30, 2010, 01:58:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

michalp

September 30, 2010, 01:58:16 PM Last Edit: September 30, 2010, 02:13:09 PM by michalp
Hi,

I'm new here, so HELLO EVERYBODY:)

I have Apache2 + PHP (hardened with Suhoshin) on Ubuntu 10.04 LTS
I've just installed RoundCube Webmail 0.4.1

The configuration is:
1) Apache2:

 DocumentRoot /var/www
       
                Options FollowSymLinks
                AllowOverride None
       
       
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order Allow,Deny
                Allow from all
       


                RewriteEngine On
                RewriteCond %{SERVER_PORT} ^80$
                RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
                RewriteRule (.*)$ https://%{SERVER_NAME}$1 [L,R]
                RewriteLogLevel 2


2) Roundcube is unpacked into /var/www, all files and directories chowned to roundcube:roundcube (roundcube is non-shell user), temp and logs directories chowned to www-data:www-data

3) Disabled some insecure functions in php.ini, configured open_basedir = /var/www, disabled allow_url_fopen

4) I have .htaccess files preventing access to config, logs, temp directories.
I'm using some plugins, I created .htaccess files preventing access to config.inc.php for all plugins I use.

5) In password plugin access to config.inc.php (with DSN to pgsql) is roundcube:www-data (640).

My question is simple, what more can I do to secure better my installation of Roundcube ? Can you guys post some advice here for new RoundCube administrator:)?


Thanks in advance

Michael

SKaero

#1
September 30, 2010, 02:27:20 PM
RoundCube is inherently secure, RoundCube is just a client so it doesn't really have to much that to secure. As long as you keep RoundCube updated you shouldn't have any problems.

michalp

#2
September 30, 2010, 03:33:37 PM
Thank you for your reply Skaero:)

I don't agree at all with you that its just client, as long as it executes some PHP scripts on server side, it needs to be secured by webadmins.

Anyway by keeping RoundCube updated you mean being current with stable branch (for now 0.4.1)?


Michael

SKaero

#3
September 30, 2010, 11:15:25 PM
Well that is true but RoundCube has the same access as WordPress or Joomla, as long as you have a secure web server you should have any problems. Keeping up with the stable branch witch is currently 0.4.1 is just fine.

michalp

:)
#4
October 01, 2010, 03:26:58 AM
That's why I asked other Apache2/PHP admins what can I do more:)

I use my own server, not hosting one. I just wanted to know if apache virtualhost and PHP configurations are OK:)


Thanks anyway for reply:)

Michael

bagu

#5
October 01, 2010, 06:33:57 AM
So, you'd better ask this on a Apache/PHP help forum.
Why do you ask on Roundcube forum how to secure your server ?

Roundcube is secure as long as you keep it up to date.

michalp

#6
October 01, 2010, 07:07:11 AM
Because I'm installing RoundCube... That's why I ask here...

Michael
Print
Go Up Pages1
User actions