[PLUG] Re: Are you the same Brent . . .

Brent Bice bbice at persistence.com
Wed Jul 10 19:25:04 UTC 2002


> That grew up in Albuquerque and ran a BBS or two in the
> mid-late 80s?

   Hey, whaddya know!  Small world, eh?  Yeah, it's me, the Brent that
fooled around with ROS and some other BBSes (and even wrote my own in
interpreted basic on a NEC Z80 based machine with 64k of memory - grin).

   Remember John?  He's doin' consulting work for ARIN and some of the
other internet bigwigs, and starting up his own internet registrar service.
He ran a small ISP for a while before that.

   But this was s'posed to be 'bout webmail.  Yeah, I'd run squirrelmail
rather than just exposing IMAP on port 8080.  Even if your IMAP server
supports ssl and you've got it configured so the ssl port is on 8080,
it's another point of attack on your machine.  And IMAP servers tend to
be less easily kept secured than, say, Apache.  There've been several
remotely exploitable hacks for various IMAP servers in the past few years,
but very very few serious holes in Apache in the last 7 years at
least. :-)

   My preferred method is to run Apache/PHP/mod_ssl on one machine, expose
ONLY port 443 to the outside world (or perhaps port 8443 - whatever port
you configure apache/mod_ssl to listen on).  Then have your IMAP server be
on a separate machine entirely.  That way, you can configure a firewall
between the outside world and your Apache webserver, and even if they DO
manage to hack squirrelmail or Apache, there's nothin' on the server
itself for them to download (except for perhaps your squirrelmail
preferences).  No username/password pairs are stored on the squirrelmail
server -- that's all on the IMAP server.

   And since you only expose https to the outside world, when you log in
you won't be sharing your password with anyone between you and the
webserver armed with a network sniffer. :-) And there's another side
benefit to only exposing the SSL port on the webserver.  When (not if, but
when) another security hole in your webserver of choice is found, the
crackers will be portscanning on port 80 for webservers to break in to.
I see thousands of portscands per day on port 80, but never on port 443.

Brent







More information about the PLUG mailing list