1 (edited by fmenard123 2014-01-03 10:21:10)

Topic: Securing the server as the final step!

OK folks,

I finally have a server (Debian, 0.8.6 Pro - MYSQL) in production

I ended up creating all these files with the following content:

/etc/apache2/conf.d/iredadmin.conf
----------
WSGISocketPrefix /var/run/wsgi
WSGIDaemonProcess iredadmin user=iredadmin threads=15
WSGIProcessGroup iredadmin

AddType text/html .py

<Directory /usr/share/apache2/iredadmin/>
    Order Deny,Allow
    Allow from 192.168.
    Deny from all
</Directory>
------------

/etc/apache2/conf.d/phpmyadmin.conf
-----------
<Directory /usr/share/phpmyadmin/>
Options FollowSymLinks
DirectoryIndex index.php
Order Deny,Allow
Allow from 192.168.
Deny from all
</Directory>
----------

/etc/apache2/conf.d/cluebringer.conf
----------
<Directory /usr/share/postfix-cluebringer-webui/webui/>
Options FollowSymLinks
DirectoryIndex index.php
Order Deny,Allow
Allow from 192.168.
Deny from all
</Directory>
----------

/etc/apache2/conf.d/awstats.conf
---------
<Directory /usr/share/awstats/icon/>
Options FollowSymLinks
DirectoryIndex index.php
Order Deny,Allow
Allow from 192.168.
Deny from all
</Directory>
------------


My server has 2 interfaces, one with a public IP address and another one with a private IP address (192.168.x.x)

So the idea is that if I want to manage the server over the web interface, I need to VPN into the office and access the server from behind the firewall.

Over the public internet (interface), only Roundcube is enabled over HTTPS and everything else is blocked by the IPTABLES script ... however, IP Tables isn't enough to secure the other management interfaces.

I'm surprised that there is no description of how to achieve this into the FAQ.  Let my post serve as the inspiration!

F.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Securing the server as the final step!

Nobody replied to this ...  Have I chosen the best path ?

3

Re: Securing the server as the final step!

Hi @fmenard123,

I'm sorry that i don't quite understand your first post. Are you asking a question, or sharing a tip?

4 (edited by suto 2014-01-13 15:55:17)

Re: Securing the server as the final step!

Hi,

IMHO this is a good tip. Apache + php (or perl, python...) could be vulnerable so IP restriction is advised.