suitable webmail
in [Postfix]
|
From: Kay on 1 Feb 2010 12:49 On 01/02/10 17:09, j debert wrote: > it seems that roundcube is popular. > > It seems to be most popular among bots as well, according to what my > apache logs say. I don't have roundcube but there are frequent > attempts to get to php scripts down in the roundcube directories. I'd > probably see orders of magnitude more if it weren't for fail2ban. I > wonder what it is that makes it so popular? In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. That said, it's not the only webmail client (or any other web app) that gets the install&neglect treatment, it's just the one most frequently exploited. So if you want to run it, be diligent about keeping it up to date, and use something like fail2ban. K
From: terry on 1 Feb 2010 13:40 Quoting Kay <lists(a)coffeehabit.net>: > On 01/02/10 17:09, j debert wrote: >> it seems that roundcube is popular. >> >> It seems to be most popular among bots as well, according to what my >> apache logs say. I don't have roundcube but there are frequent >> attempts to get to php scripts down in the roundcube directories. I'd >> probably see orders of magnitude more if it weren't for fail2ban. I >> wonder what it is that makes it so popular? > > In my job (hosting company) I see boxes exploited via roundcube all > the time. Squirrelmail? Not one so far. Part of the reason is that > squirrelmail comes with RHEL, so it's kept up to date automatically, > while customers install their own roundcube and then don't maintain > it. That said, it's not the only webmail client (or any other web > app) that gets the install&neglect treatment, it's just the one most > frequently exploited. Squirrelmail works nicely, as does Horde, which seems to be quite a bit more complete (integrated calendar, sharing,etc.), however I wouldn't put any web app out on the net without using SSL, HTTP Auth and faiil2ban in front of it. Hacks are much more difficult if the attacker can't get to the application directory without a valid login. The http auth box is ugly and somewhat annoying, however there's a lot to be set for a very stable, low-level, simple authentication mechanism. Terry
From: mouss on 1 Feb 2010 14:39 j debert a �crit : > it seems that roundcube is popular. > > It seems to be most popular among bots as well, according to what my > apache logs say. I don't have roundcube but there are frequent > attempts to get to php scripts down in the roundcube directories. I'd > probably see orders of magnitude more if it weren't for fail2ban. I > wonder what it is that makes it so popular? > you mean things like GET /roundcube-0.2//bin/msgimport GET /round//bin/msgimport .. they're looking for old versions.. See http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/ http://stateofsecurity.com/?p=550 Funnily enough, they don't try SSL. (note that enforcing SSL for any web mail application is a good practice)
From: fakessh on 1 Feb 2010 14:56 On Mon, 01 Feb 2010 20:39:49 +0100, mouss <mouss(a)ml.netoyen.net> wrote: > j debert a écrit : >> it seems that roundcube is popular. >> >> It seems to be most popular among bots as well, according to what my >> apache logs say. I don't have roundcube but there are frequent >> attempts to get to php scripts down in the roundcube directories. I'd >> probably see orders of magnitude more if it weren't for fail2ban. I >> wonder what it is that makes it so popular? >> > > you mean things like > GET /roundcube-0.2//bin/msgimport > GET /round//bin/msgimport > .. > > they're looking for old versions.. See > http://asert.arbornetworks.com/2009/01/roundcube-webmail-scanning/ > http://stateofsecurity.com/?p=550 > > > Funnily enough, they don't try SSL. (note that enforcing SSL for any > web mail application is a good practice) the current version of roundcube (0.3.1) does not work with the current mod_security I failed to get along with the rules of mod_security. I simply removed. I just read the security alert and I just delete msgimport.sh
From: =?ISO-8859-1?Q?Giuseppe_De_Nicol=F2?= on 1 Feb 2010 15:09
On 02/01/2010 06:49 PM, Kay wrote: > On 01/02/10 17:09, j debert wrote: >> it seems that roundcube is popular. >> >> It seems to be most popular among bots as well, according to what my >> apache logs say. I don't have roundcube but there are frequent >> attempts to get to php scripts down in the roundcube directories. I'd >> probably see orders of magnitude more if it weren't for fail2ban. I >> wonder what it is that makes it so popular? Well I admit Im one of those guy using it, ( of course I m not an hosting company) though the reason for which I do use it is because it has decent features ( well for a webmail app is not an organizer thats sure ) , and a very pleasant interface . I used squirrelmail before it it worked very well though my user did complain about its ugly interface. I also considered Horde but to be honest its seems to me an overkill as a webmail client while roundcube is an easy and fast setup ( even to mantain ). So I gues those 2 points make it popular, altho I see your point > > In my job (hosting company) I see boxes exploited via roundcube all > the time. Squirrelmail? Not one so far. Part of the reason is that > squirrelmail comes with RHEL, so it's kept up to date automatically, > while customers install their own roundcube and then don't maintain > it. That said, it's not the only webmail client (or any other web > app) that gets the install&neglect treatment, it's just the one most > frequently exploited. > > So if you want to run it, be diligent about keeping it up to date, and > use something like fail2ban. > > K > Well I agree with you there I was a bit worried bout its security, I have also to admit I have 0.3.0 stable since almost 6 month and just recently I' have seen come up 0.3.1 ( wich I happen to have updated recently ) release while I m seeing lot of security alert bout it. So the point is I would love to keep using squirrelmail but it really looks old ( don't shot me I like it ) to my users. |