1 (edited by marcovaldo 2013-04-08 03:11:52)

Topic: Hardening

==== ==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian Squeeze
- Related log if you're reporting an issue:
====

Hello All,

I found lots of messages regarding installation and issues regarding installation. Not aware that such a thread already
exists I started a new one. This is not about installation(in the sense of getting it running), but how to make a successfully
running system more secure. (I am quite a linux newbee as you can see from my posts, but I am learning and want to give
something back to the community (to make it easier for others which might follow the same path)

The only thread which popped up searching for 'hardening' was
http://www.iredmail.org/forum/search940939680.html
but as this is a longer wishlist I decided to create a new thread

The first snipplet I want to contribute is (all information below is Debian Related only)
== Security by obscurity  (I know this concept is generally a weak one but better a weak one than none...) ==
eg hide/obfuscate  your URLs  so that script-kiddies have less hints about the installed components and possible
security holes to use..

/var/www/index.html
=> this normally redirects to /mail (popping into Roundcube)
Replace by other file (simply delete would show the folder listing)
Replace by default apache index.html (possibly not good as it announces this a possibly not fully configured server)
or let it redirect to a nonexisting page (creates error message, better)
or just show an empty page

/var/www/robots.txt
remove all hints on existing folders(too much hints on installed packets)
leave just a Disallow: /

/etc/apache2/conf.d/roundcube.conf
=> comment all Alias as they are defined again in /etc/apache2/sites-available/default-ssl
(we will modify them there)

/etc/apache2/sites-available/default-ssl
=> at the end of file (end of section /VirtualHost)
Edit the following Alias to something less obvious
Alias /mysqladmin
Alias /mail
WSGIScriptAlias /iredadmin
ScripAlias /awstats
=> comment lines
# Alias /roundcube
# Alias /webmail

Ofcourse after the changes clear Browser Cache and restart Apache.

Also it might be recommended to open all admin pages (iredadmin, awstats,mysqladmin) only to local network.
(I will deal with this in a future post)

Best Regards,

    Marcovaldo

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Hardening

Hi Marcovaldo,

Thanks very much for your feedback. smile

marcovaldo wrote:

leave just a Disallow: /

Good idea. Fixed in iRedMail development version.

marcovaldo wrote:

=> comment all Alias as they are defined again in /etc/apache2/sites-available/default-ssl

Commented out /webmail, /roundcube in development version.

marcovaldo wrote:

Also it might be recommended to open all admin pages (iredadmin, awstats,mysqladmin) only to local network.

The problem is, iRedMail doesn't know which network is local for this server. Use 127.0.0.1? 192.168.x.x? 172.16.x.x? I prefer to leave it to system admin.

3

Re: Hardening

Thx for your positive Feedback!
(I will continue to contribute (little) bits and pieces!)

/etc/apache2/conf.d/roundcube.conf
=> comment all Alias as they are defined again in /etc/apache2/sites-available/default-ssl
(we will modify them there)

I think this Alias entries are for Non-SSL access. (I forward only https to my iRedMail server located in a DMZ)
So I definitively do not need these Alias. Other customers allowing http might need this

Marcovaldo

4

Re: Hardening

marcovaldo wrote:

/etc/apache2/conf.d/roundcube.conf
=> comment all Alias as they are defined again in /etc/apache2/sites-available/default-ssl
(we will modify them there)

Oh, my mistake, i forgot this one. It should be commented out by default.
Thanks again. smile

Commit log:
https://bitbucket.org/zhb/iredmail/comm … 2bb0f19310