Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th September 2008, 03:00
hrvbid hrvbid is offline
Junior Member
 
Join Date: Nov 2006
Posts: 13
Thanks: 9
Thanked 14 Times in 7 Posts
Default IspConfig with Roundcubemail - Security

Looking for a webmailer, roundcubemail is functional a pretty choice, but from the view of security one of the greatest desaster Ive seen in the near past. I do not know from where the gaps came, from the native distro or from the pkg adaption for ispconfig. Reasons may be caused by inconsistent/strange file type usage and the intermix of some object orientation with non object oriented programming styles.

Anyway, some actions are urgent suggested to plug the leaks.

With good reasons, the ispconfig webserver for himself does not allow .htaccess overrides. With good reasons also, roundcubemail runs with and in the context of the ispconfig server. But roundcubemail uses .htaccess files to have some protection.

That should be supported (only for) the roundcubepath by

1st, insert into file /root/ispconfig/httpd/conf/httpd.conf about line # 1197 :
Code:
<Directory /home/admispconfig/ispconfig/web/roundcubemail>
 	AllowOverride All
</Directory>
Next modify the .htaccess file in the roundcube path line # 28 :
Code:
<FilesMatch "(\.db|\.dist|\.inc|magic|msgimport|\~)$">
  Order allow,deny
  Deny from all
</FilesMatch>
Order deny,allow
Allow from all
...and...
an .htacces file with that content :
Code:
	Order allow,deny
	Deny from all
should also be placed in the ispconfig roundcubemail path:
./logs/.htaccess
./SQL/.htaccess

...and...
the ./config/*.dist files I have renamed to *.dist.nop
otherwise these files are offered for download.

When finished, ispconfig server requires restart.

Don't know, if all security issues are now have paid attention, but with a first test the round cube world with ispconfig looks a bit better, while the functionalities are just bright.
Reply With Quote
The Following User Says Thank You to hrvbid For This Useful Post:
Hans (20th September 2008)
Sponsored Links
  #2  
Old 20th September 2008, 10:28
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,263
Thanks: 216
Thanked 649 Times in 295 Posts
Default

First, i want to thank you for your close view and the advise you gave us.
I have to say that you are completely right!

The RC package for ISPConfig only copies RoundCube into the right directory.
Regarding .htaccess files, RoundCube comes in it's original state.
The .htaccess files which come with RoundCUbe are not removed.

Packages like phpMyAdmin, phpPgAdmin and also RoundCube are under heavy developement.
Each package need it's own ideal settings.

Some examples:
phpMyAdmin, php needs to be compiled with an extra module: --with-mcrypt
phpPgAdmin, php needs to be compiled with an extra module: --with-pgsql
RoundCube, uses .htaccess files, but also phpMyAdmin has one.

With other words, installing these packages with the ISPConfig update manager is not enough.
To let those apps function properly and safely, extra php-modules need to be compiled and/or modifications are needed regarding .htaccess files and what more.
This can not be done by just installing the packages for ISPConfig.
So, i think port 81 is not the right place to serve all those apps.
It is ment for ISPConfig only.
We don't want all those dependencies, because ISPConfig itself, simply don't need them.

In the past i started to update/maintain the existing packages as my contribution for the community.
(Some of them where rather old, you see).

The users of the packages expect something, which just works safely out of the box, but sometimes it is not.
One of the advantages of the packages should be that they are simply to install and ready to use.
With all the extra requirements of the packages and configurations which need to be changed, this is not the case at all.

Personally, i think it is better to use Apache for only ISPConfig and Apache2 for the webs.
This is where an ISPConfig server has been designed for and this is how i use it myself!

For these reasons, I am considering not to maintain the packages any longer.
__________________
Hans

MrHostman | Managed Hosting
Reply With Quote
  #3  
Old 20th September 2008, 11:10
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,045
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

I have added this to the bugtracker. I think we can add the directory directive for AllowOverride into the ispconfig httpd.conf by default.

When it comes to the "--with-mcrypt" for phpmyadmin, we are working to implement this, so that it is compiled with mycrypt when the mcrypt development files are installed as we do it already for postgres.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
hrvbid (20th September 2008)
  #4  
Old 20th September 2008, 14:31
hrvbid hrvbid is offline
Junior Member
 
Join Date: Nov 2006
Posts: 13
Thanks: 9
Thanked 14 Times in 7 Posts
Default

Thank you Hans, thank you Till
for the quick response. Let add me some remarks. The feature, to have packages available at a central place (like phpmyadmin, like webmailers) together with ispconfig is a very good and usefull choice. Because there is a secured ssl environment where in most cases cannot be much more when owning only a very limited pool of ip addresses. Also, to manage such centalized software with ispconfig at the higher admin level is well thought. I would not like to miss that feature. Any case, such package implementations require highest server admins attention and should never be used without sensitive examinations.
Sure, ispconfig itself don't need phpmyadmin, don't need a webmailer, but site users are most happy about when offered. And ispconfig is very smart designed to serve different kind of users. The nature of such apps is always the universal usefullness for close all.
That means, only apps of such kind should be considered to have a life together with ispconfig. Without any doupt, phpmyadmin and webmailers belong to. And always, a server admin decides about the avaiability, he may decide against too. And best, he has the choice to decide.
From this point, let me thank again for the great ispconfig and the great howtoforge with its rich content.
Hilmar
Reply With Quote
  #5  
Old 20th September 2008, 15:41
hrvbid hrvbid is offline
Junior Member
 
Join Date: Nov 2006
Posts: 13
Thanks: 9
Thanked 14 Times in 7 Posts
Default

To Hans ...
please do not give up with roundcube at ispconfig. !
That would be sad if my post would cause your statement. :-(
Greetings
Hilmar
Reply With Quote
  #6  
Old 22nd September 2008, 10:58
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,263
Thanks: 216
Thanked 649 Times in 295 Posts
 
Default

@hrvbid
Have a look here.
__________________
Hans

MrHostman | Managed Hosting
Reply With Quote
The Following User Says Thank You to Hans For This Useful Post:
hrvbid (22nd September 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot access ispconfig site Nu2Linux Installation/Configuration 13 3rd January 2009 16:29
ISPConfig 2.3.3-dev released till General 10 12th March 2008 22:08
Ispconfig Information Import/Export Pulsaris Installation/Configuration 1 25th September 2007 10:06
ispconfig together with other portal app Mr_Miyagi Installation/Configuration 2 24th March 2007 18:19
ISPConfig 2.3.1-dev released till General 0 8th May 2006 23:18


All times are GMT +2. The time now is 06:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.