Topic: Hardening
==== ==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian Squeeze
- Related log if you're reporting an issue:
====
Hello All,
I found lots of messages regarding installation and issues regarding installation. Not aware that such a thread already
exists I started a new one. This is not about installation(in the sense of getting it running), but how to make a successfully
running system more secure. (I am quite a linux newbee as you can see from my posts, but I am learning and want to give
something back to the community (to make it easier for others which might follow the same path)
The only thread which popped up searching for 'hardening' was
http://www.iredmail.org/forum/search940939680.html
but as this is a longer wishlist I decided to create a new thread
The first snipplet I want to contribute is (all information below is Debian Related only)
== Security by obscurity (I know this concept is generally a weak one but better a weak one than none...) ==
eg hide/obfuscate your URLs so that script-kiddies have less hints about the installed components and possible
security holes to use..
/var/www/index.html
=> this normally redirects to /mail (popping into Roundcube)
Replace by other file (simply delete would show the folder listing)
Replace by default apache index.html (possibly not good as it announces this a possibly not fully configured server)
or let it redirect to a nonexisting page (creates error message, better)
or just show an empty page
/var/www/robots.txt
remove all hints on existing folders(too much hints on installed packets)
leave just a Disallow: /
/etc/apache2/conf.d/roundcube.conf
=> comment all Alias as they are defined again in /etc/apache2/sites-available/default-ssl
(we will modify them there)
/etc/apache2/sites-available/default-ssl
=> at the end of file (end of section /VirtualHost)
Edit the following Alias to something less obvious
Alias /mysqladmin
Alias /mail
WSGIScriptAlias /iredadmin
ScripAlias /awstats
=> comment lines
# Alias /roundcube
# Alias /webmail
Ofcourse after the changes clear Browser Cache and restart Apache.
Also it might be recommended to open all admin pages (iredadmin, awstats,mysqladmin) only to local network.
(I will deal with this in a future post)
Best Regards,
Marcovaldo
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
