Les Mikesell wrote:
>
> If you have a decent password (on all accounts) I wouldn't worry about
> about it too much. Move it to an odd port or even require a client
> certificate if your client software supports it.
The non-standard port is a good trick, but even assuming the iPhone does
support it (which is far from certain, the interface is very simple and
terse), I'm still a bit uncomfortable. All it takes is a stupid buffer
overflow, and a script kiddie with patience and a portscanner - even if
you send packets to DROP, it's still scannable, it just takes much
longer. Port knocking is probably not doable (or not easily) from the
iPhone.
Maybe I don't trust the IMAP server enough to expose it. Maybe I should.
> The usual problem with IPSec is trying to make it work through a NAT
> router. Does your server have a public address of its own? SSL and
> OpenVPN can work through port-forwarding routers.
I'm aware of the NAT issues. I've a decent amount of experience with
IPSec in the enterprise actually, just not with Linux as a concentrator.
The usual trick is to enable some sort of UDP tunneling, and then a good
part of those issues is alleviated. The question is whether the Linux
IPSec server supports UDP encapsulation (and whether the iPhone client
does too).
The machine has a public interface exposed directly to the Internet, so
that simplifies things a bit.
--
Florin Andrei
http://florin.myip.org/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
