I've added a link for a wiki page:
http://wiki.qmailtoaster.com/index.php?title=Securing_SquirrelMail&action=edit
to the Security section of the Configuration page.
Would someone care to edit the page (using above link), and add this
stuff to it? Please reply to this request before jumping in so we don't
have two people editing it concurrently. First come, ... ;)
TIA.
Johannes Weberhofer, Weberhofer GmbH wrote:
Another thing that makes it very hard to use PHP-security-issues is to
use the following-settings for
<Directory /usr/share/squirrelmail>
php_admin_value open_basedir
/usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/var/spool/squirrelmail
php_admin_value upload_tmp_dir
/srv/www/vhosts/at.weberhofer.www-ssl/tmp
php_admin_flag safe_mode On
</Directory>
Changing the upload_tmp_dir makes it very hard to use standard-haking
tools which regulary tries to operate files on the /tmp path. The other
options prevents access to most directories and disallows execution of
scritpts/files. You have to check ownerships/permissions to make the
above settings working.
Best regards,
Johannes
Am 09.04.2010 18:09, schrieb Eric Shubert:
You should secure squirrelmail so that it only runs with https, so that
passwords are not sent in the clear. To do so, configure apache with a
valid cert (see http://wiki.qmailtoaster.com/index.php/Certificate),
then add these lines to your /etc/http/squirrelmail.conf file:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*/webmail.*)$ https://%{SERVER_NAME}$1 [L,R]
Then
# service httpd restart
madmac wrote:
Is there then a way to secure squirrelmail, or any other webmail prog.
This is a default install of qmail with the ISO.
Not having it is not an option, as most of the clients can only use
webmail as they are on the road daily.
Thanks
----- Original Message -----
*From:* Jake Vickers <mailto:j...@qmailtoaster.com>
*To:* qmailtoaster-list@qmailtoaster.com
<mailto:qmailtoaster-list@qmailtoaster.com>
*Sent:* Thursday, April 08, 2010 5:53 PM
*Subject:* Re: [qmailtoaster] spam
On 04/08/2010 04:21 PM, madmac wrote:
Well anyone that can guess my passwords must be amazing.
Let alone get through the elaborate firewall system.
ssh port is " non standard "
But I agree, this box is compromised " some how "
File count now at 9580 and counting
Are all of the files that are "infected" from mailboxes?
It does sound like your machine has been compromised. If you leave
Squirrelmail open (ie: no protection against password attacks) or
have other webapps running then this is the most likely place for
them to get in. Once they have an account's login credentials, they
can upload things to themselves and run them (don't ask me how - I
never looked at how they did it - I just fixed it) and then brute
force passwords from the local machine to obtain other access or
whatever they are looking to do.
I had one a year or so back where a guy installed phpbb - when he
came in the next day someone had emailed him his root password. He
reinstalled and put phpbb back on and had his machine compromised in
about 2 hours after that.
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
