Skip to content →

Apache et Roundcube, sécurisation et obfuscation de version

Après installation d’un serveur de mail pour remplacer Google Apps sur mon domaine perso, j’ai trouvé que Roundcube était le seul webmail qui me plaisait à peu près.

Quelques tips et tricks sur la sécurisation de Apache / PHP et Roundcube, pas sur les serveurs Postfix / Dovecot, qui je l’espère, viendront ici alimenter le blog avec du fail2ban …

  • Configuration du vHost et sécurisation dossiers “sensibles”
<VirtualHost *:443>
        ServerAdmin postmaster@beufa.net
        ServerName  x.beufa.net
        DocumentRoot /var/www/x
        SSLEngine on
        SSLCipherSuite ALL:!ADH:RC4+SHA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
        SSLProtocol all -SSLv2
        SSLStrictSNIVHostCheck on
        SSLOptions StrictRequire
        SSLCertificateFile     cert.pem
        SSLCertificateKeyFile  cert.pem
        #GnuTLSEnable on 
        #GnuTLSPriorities SECURE:!ANON-DH:!MD5
        #GnuTLSCertificateFile cert.pem
        #GnuTLSKeyFile cert.pem
        #GnuTLSCertificateChainFile cert.pem
        #GnuTLSCACertificatePath /

        <Directory /var/www/roundcube>
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        <Directory /var/www/roundcube/config>
                Options -FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/roundcube/temp>
                Options -FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/roundcube/logs>
                Options -FollowSymLinks
                AllowOverride None
                Order allow,deny
                Deny from all
        </Directory>

        <Directory /var/www/roundcube/plugins/enigma/home>
                Options -FollowSymLinks
                AllowOverride None
                Order allow,deny
                Deny from all
        </Directory>

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        ErrorLog ${APACHE_LOG_DIR}/05.x.beufa.net_error.log
        CustomLog ${APACHE_LOG_DIR}/05.x.beufa.net_access.log combined

</VirtualHost>
  • Supprimer les headers de mail PHP verbeux dans /etc/php5/apache2/php.ini
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off
; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
; Example for Roundcube : X-PHP-Originating-Script: 33:main.inc in each mail sent 
mail.add_x_header = Off
  • Avoir des logs Apache / PHP dans un fichier spécifique
; The path to a log file that will log all mail() calls. Log entries include
; the full path of the script, line number, To address and headers.
;mail.log = /var/log/mail.apache-php.log

Bientôt d’autres tips sur le couple Postfix / Dovecot / Roundcube !

Published in Linux Sécurité Webapps

fr_FRFR