on 3-26-2009 1:02 PM Florin Andrei spake the following: > Les Mikesell wrote: >> If you have a decent password (on all accounts) I wouldn't worry about >> about it too much. Move it to an odd port or even require a client >> certificate if your client software supports it. > > The non-standard port is a good trick, but even assuming the iPhone does > support it (which is far from certain, the interface is very simple and > terse), I'm still a bit uncomfortable. All it takes is a stupid buffer > overflow, and a script kiddie with patience and a portscanner - even if > you send packets to DROP, it's still scannable, it just takes much > longer. Port knocking is probably not doable (or not easily) from the > iPhone. > > Maybe I don't trust the IMAP server enough to expose it. Maybe I should. > >> The usual problem with IPSec is trying to make it work through a NAT >> router. Does your server have a public address of its own? SSL and >> OpenVPN can work through port-forwarding routers. > > I'm aware of the NAT issues. I've a decent amount of experience with > IPSec in the enterprise actually, just not with Linux as a concentrator. > The usual trick is to enable some sort of UDP tunneling, and then a good > part of those issues is alleviated. The question is whether the Linux > IPSec server supports UDP encapsulation (and whether the iPhone client > does too). > > The machine has a public interface exposed directly to the Internet, so > that simplifies things a bit. > I have several IMAP servers exposed. I just run fail2ban and it drops the script kiddies and the brute force attacks after a couple of tries. Unless the attacker already knows the username and password, that should stop them cold. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos