[CentOS] CentOS VPN server for iPhone

Thu Mar 26 20:11:37 UTC 2009
Scott Silva <ssilva at sgvwater.com>

on 3-26-2009 1:02 PM Florin Andrei spake the following:
> Les Mikesell wrote:
>> If you have a decent password (on all accounts) I wouldn't worry about 
>> about it too much.  Move it to an odd port or even require a client 
>> certificate if your client software supports it.
> The non-standard port is a good trick, but even assuming the iPhone does 
> support it (which is far from certain, the interface is very simple and 
> terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
> overflow, and a script kiddie with patience and a portscanner - even if 
> you send packets to DROP, it's still scannable, it just takes much 
> longer. Port knocking is probably not doable (or not easily) from the 
> iPhone.
> Maybe I don't trust the IMAP server enough to expose it. Maybe I should.
>> The usual problem with IPSec is trying to make it work through a NAT 
>> router.   Does your server have a public address of its own?   SSL and 
>> OpenVPN can work through port-forwarding routers.
> I'm aware of the NAT issues. I've a decent amount of experience with 
> IPSec in the enterprise actually, just not with Linux as a concentrator. 
> The usual trick is to enable some sort of UDP tunneling, and then a good 
> part of those issues is alleviated. The question is whether the Linux 
> IPSec server supports UDP encapsulation (and whether the iPhone client 
> does too).
> The machine has a public interface exposed directly to the Internet, so 
> that simplifies things a bit.
I have several IMAP servers exposed. I just run fail2ban and it drops the
script kiddies and the brute force attacks after a couple of tries.
Unless the attacker already knows the username and password, that should stop
them cold.

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090326/42e5fb7a/attachment-0003.sig>