[CentOS] CentOS VPN server for iPhone
Scott Silva
ssilva at sgvwater.com
Thu Mar 26 20:11:37 UTC 2009
on 3-26-2009 1:02 PM Florin Andrei spake the following:
> Les Mikesell wrote:
>> If you have a decent password (on all accounts) I wouldn't worry about
>> about it too much. Move it to an odd port or even require a client
>> certificate if your client software supports it.
>
> The non-standard port is a good trick, but even assuming the iPhone does
> support it (which is far from certain, the interface is very simple and
> terse), I'm still a bit uncomfortable. All it takes is a stupid buffer
> overflow, and a script kiddie with patience and a portscanner - even if
> you send packets to DROP, it's still scannable, it just takes much
> longer. Port knocking is probably not doable (or not easily) from the
> iPhone.
>
> Maybe I don't trust the IMAP server enough to expose it. Maybe I should.
>
>> The usual problem with IPSec is trying to make it work through a NAT
>> router. Does your server have a public address of its own? SSL and
>> OpenVPN can work through port-forwarding routers.
>
> I'm aware of the NAT issues. I've a decent amount of experience with
> IPSec in the enterprise actually, just not with Linux as a concentrator.
> The usual trick is to enable some sort of UDP tunneling, and then a good
> part of those issues is alleviated. The question is whether the Linux
> IPSec server supports UDP encapsulation (and whether the iPhone client
> does too).
>
> The machine has a public interface exposed directly to the Internet, so
> that simplifies things a bit.
>
I have several IMAP servers exposed. I just run fail2ban and it drops the
script kiddies and the brute force attacks after a couple of tries.
Unless the attacker already knows the username and password, that should stop
them cold.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090326/42e5fb7a/attachment.sig>
More information about the CentOS
mailing list