On 2014-10-07 13:24, Robert Moskowitz wrote:
On 10/07/2014 08:09 AM, Gordan Bobic wrote:
On 2014-10-07 13:05, Robert Moskowitz wrote:
Of course roundcubemail is its own set of problems, but I do have
to
provide web imap email.
Roundcube isn't really that problematic, I've been running it for
years. Having said that, I run it on a dedicated VServer instance,
so any scope for damage even if it did turn out to have an exploit
is very limited.
And when I was first testing Roundcube about 1.5 years ago, I
detected
a problem in their conf and recommended:
php_admin_flag session.cookie_secure "1"
and got yelled down! A couple others agreed that this should be the
default. I will have to see if the new build does this.
I only ever run it on a https only virtual host, so didn't see
this as a big deal.
this is a client-side security issue. And what is passed in the
cookie that can be intercepted, prior to TLS starting up. I had
checked it out with wireshark at the time.
You misunderstand - I don't mean TLS, I mean SSL, and you don't even
get to see the login screen except over https. All the http variant
of the URL does is redirect to https. And because it runs over SSL,
no HTTP gets exchanged until after the SSL connection has been
initiated.
I generally prefer to use VServer/LXC/OpenVZ to isolate
instances if I need to have things running efficiently
on a single machine. It mitigates at least some types of
possible attack. Of course, those require rebuilding
the kernel with suitable patches, if they are not already
in the kernel you are using...
I run separate hardware for each purpose; why I am so interested in
arm platforms. Then TRY and have as little other stuff as possible.
I move SSH to another port, just to keep the rift-raft away. And
whatever else I learn.
It's a valid approach , but it does increase the machine
sprawl. VServer helps keep that under control.
It use to be two shelves of SFF intelboxen on their sides, now check
out:
http://medon.htt-consult.com/~rgm/cubieboard/cubietower-3.JPG
It looks neater now. Should get a new pix posted.
Sure but you could probably replace that whole lot with one
of these and [VServer | LXC | OpenVZ]:
http://cornfedsystems.com/
Gordan
_______________________________________________
users mailing list
[email protected]
http://lists.redsleeve.org/mailman/listinfo/users
