Re: CentOS VPN server for iPhone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Les Mikesell wrote:
> 
> If you have a decent password (on all accounts) I wouldn't worry about 
> about it too much.  Move it to an odd port or even require a client 
> certificate if your client software supports it.

The non-standard port is a good trick, but even assuming the iPhone does 
support it (which is far from certain, the interface is very simple and 
terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
overflow, and a script kiddie with patience and a portscanner - even if 
you send packets to DROP, it's still scannable, it just takes much 
longer. Port knocking is probably not doable (or not easily) from the 
iPhone.

Maybe I don't trust the IMAP server enough to expose it. Maybe I should.

> The usual problem with IPSec is trying to make it work through a NAT 
> router.   Does your server have a public address of its own?   SSL and 
> OpenVPN can work through port-forwarding routers.

I'm aware of the NAT issues. I've a decent amount of experience with 
IPSec in the enterprise actually, just not with Linux as a concentrator. 
The usual trick is to enable some sort of UDP tunneling, and then a good 
part of those issues is alleviated. The question is whether the Linux 
IPSec server supports UDP encapsulation (and whether the iPhone client 
does too).

The machine has a public interface exposed directly to the Internet, so 
that simplifies things a bit.

-- 
Florin Andrei

http://florin.myip.org/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux