Roundcube is a PHP open source webmail that allow users to read and send emails through a user-friendly interface.
Installing Roundcube in Virtualmin
In Virtualmin, choose the virtual host you want to install the script on, and click "Install Scripts":
Choose "Roundcube" and click "Show Install Options"
Choose a database and enter the path, I chose "webmail" for the path.
Securing Roundcube in Virtualmin
Roundcube provides many plugins to further enhance and secure the script. The plugins can be found on: http://trac.roundcube.net/wiki/Plugin_Repository
In order to prevent brute force attacks on the email, we install the following plugins:
Installing antiBruteForce Plugin:
Download antiBruteForce plugin from:http://code.google.com/p/rcd-plugin-antibruteforce/downloads/list
Extract it and upload it to your roundcube/plugins directory.
or download and extract it from ssh into roundcube's plugins directory:
wget https://rcd-plugin-antibruteforce.googlecode.com/files/antiBruteForce_v2.0.tar.gz
tar -xvf antiBruteForce_v2.0.tar.gz
Go to roundcube config directory, open and edit config.inc.php,
Scroll to the bottom of the file, and search for $config['plugins'] = and add a new value called antiBruteForce, so that it will look like this:
$config['plugins'] = array('virtuser_file',
'archive',
'zipdownload',
'antiBruteForce',
);
Now try to enter an incorrect password several times, and roundcube should block your IP address for a while.
Installing Dr Captcha Plugin:
Note: In order to successfully use this plugin, you must have PHP GD installed.Download Dr Captcha from here:
http://sourceforge.net/projects/drcaptcha/
Extract & upload it to the plugins directory of roundcube.
You should have a directory called plugins/drcaptcha.
- Go to plugins/drcaptcha and rename config.inc.php.dist to config.inc.php and open it and modify the plugin's settings as you wish.
- In order to enable the plugin, go back to roundcube config directory, open and edit config.inc.php
- Scroll to the bottom of the file, and search for $config['plugins'] =
- Add a new value called drcaptcha, so that it will look like this:
$config['plugins'] = array('virtuser_file',Refresh the login screen and it should look as follows:
'archive',
'zipdownload',
'antiBruteForce',
'drcaptcha',
);
Force https to prevent eavesdropping:
Open config/defaults.inc.phpSearch for:
$config['force_https'] = false;and change it to:
$config['force_https'] = 443;
Additionally, if you have fail2ban installed, you can create a filter to scan the log files and ban the offending IPs.
Questions? Post them in the comment box below!