Are you IchBin?

Hello,

Thank you for this post. It's good to know there is at least one user investigating about potential holes in our security :)

[quote]"1. You shouldn't be advertising all these services on your main domain, let alone on the standard/well known ports. Get them to listen on a sub-domain on non-conventional ports."[/quote]

We don't advertise them. They can be discovered by anyone.
Changing the ports or using a different domain/subdomain is just "false security".
The key point here is to prevent anyone using them.

[quote]"2. Although, I will give you credit for this. Public/Private key 2-factor auth is good."[/quote]

Correct - we don't allow password authentication on our servers.

[quote]"3. You're using FTP, which is completely unencrypted, switch to FTP over SSL."[/quote]

We don't have plain FTP activated. You wouldn't be able to use unencrypted FTP.

If you tried to login, you'd get:
"421 Sorry, cleartext sessions and weak ciphers are not accepted on this server."

Plus, you need Public/Private key to use FTP. Passwords are not allowed.

We have uninstalled FTP and our server isn't listening to FTP anymore.

[quote]"4. Why is your server listening on 143 when your IMAP service doesn't allow authentication over plaintext?"[/quote]

Good question. I guess the service just enables it by default.
It is intentionally not accepting requests, anyway, so that's what matters :)

We have closed the IMAP port now.

[quote]"I could go on and on and on..."[/quote]

Please feel free to let us know of more issues you see!

Thank you,
Nuno

It's good to know that there are some techs' out there keeping an eye on security issues, albeit they are site users and not admins.

* builds wall around you *

I think nerds are sooo groovy 😍

You need to bring this up to https://similarworlds.com/Andrew
Looks as though he's an admin