On Thu, Dec 15, 2005 at 10:19:48PM +0000, kevin bailey wrote: > good point - also the fact that the users stick their email passwords to > their monitors using postits!
Well, at least there's still *some* level of physical security there; an attacker has to be at your user's desk to get the password. Plus, given the choice between having your users use weak but easy to remember passwords and having them use complex passwords that they have to write down, the latter is the better option. I'd suggest that they keep their password in their wallet or something, though, and only take it out when they need it. Treat it like a credit card or something, and it's basically safe. > i'm almost thinking to switch the webmail service to normal apache - this > would save me from having to run apache-ssl altogether. > > the email accounts are virtual accounts and are not system/FTP accounts run > on a courier email server. Apache+mod_ssl is the way to go. If your users will only access their mail via the web interface, then configure your your IMAP server to only listen on the loopback interface. > > It may be nothing. The fact that it showed up as filterd in the nmap > > output indicates that nmap didn't received a TCP RST packet back when it > > tried to contact that port. That may mean you have iptables configured > > to DROP packets to that port. > > iptables has not been set up - but i take what you say. > > so if i set up a firewall and drop nearly all packets does nmap report ports > as unfiltered? ^^^^^^^^^^ You mean filtered. Yes. Normally, when a TCP SYN is sent to a port with nothing on it, the OS sends back a TCP RST packet, basically saying "there's nothing here". If you configure iptables to DROP the packets, then nmap realizes that it didn't get the RST back and lists the port as filtered. If you want to firewall off a port such that it appears to the outside world that there is nothing on that port at all, use "-j REJECT --reject-with tcp-reset" in the iptables rule. As Florian pointed out, though, it's likely that your ISP is actually dropping the SYN packet, and that's why nmap isn't getting the RST back. Your OS never sees the SYN at all so it never sends back the RST. noah
signature.asc
Description: Digital signature