As a concerned member of your site, I thought I'd bring this up.
1. You shouldn't be advertising all these services on your main domain, let alone on the standard/well known ports. Get them to listen on a sub-domain on non-conventional ports.
2. Although, I will give you credit for this. Public/Private key 2-factor auth is good. :) - You could go one step further and make sysadmins log into a VPN service and only allow hosts on the VPN subnet to connect.
3. You're using FTP, which is completely unencrypted, switch to FTP over SSL. Also, the system log on banner is advertising that you're running Pure-FTPd. If I was a malicious uB3r Hax0r. I would be searching public CVE vulnerability lists to see if there are any known exploits for this.
4. Why is your server listening on 143 when your IMAP service doesn't allow authentication over plaintext? You have an IMAPS service running on here!
I could go on and on and on... - But I'd rather this stuff get addressed first.
Thank you for this post. It's good to know there is at least one user investigating about potential holes in our security :)
"1. You shouldn't be advertising all these services on your main domain, let alone on the standard/well known ports. Get them to listen on a sub-domain on non-conventional ports."
We don't advertise them. They can be discovered by anyone. Changing the ports or using a different domain/subdomain is just "false security". The key point here is to prevent anyone using them.
"2. Although, I will give you credit for this. Public/Private key 2-factor auth is good."
Correct - we don't allow password authentication on our servers.
"3. You're using FTP, which is completely unencrypted, switch to FTP over SSL."
We don't have plain FTP activated. You wouldn't be able to use unencrypted FTP.
If you tried to login, you'd get: "421 Sorry, cleartext sessions and weak ciphers are not accepted on this server."
Plus, you need Public/Private key to use FTP. Passwords are not allowed.
We have uninstalled FTP and our server isn't listening to FTP anymore.
"4. Why is your server listening on 143 when your IMAP service doesn't allow authentication over plaintext?"
Good question. I guess the service just enables it by default. It is intentionally not accepting requests, anyway, so that's what matters :)
We have closed the IMAP port now.
"I could go on and on and on..."
Please feel free to let us know of more issues you see!
I have tried to communicate with Nuno and Andrew numerous times, I've even offered to assist the site on a voluntary basis. They simply just don't reply to me. It's only a matter of time until a script kiddie owns this site.
They don't even moderate the questions/stories that get posted here. The amount of shit that gets put on here is slowly wreaking the site anyway.
It means when the Russians hack this site we're gonna lose our SW coins. So be on the look out for a loss of sw coins while some hack is sending all the gifts mysteriously 🤣
