As a concerned member of your site, I thought I'd bring this up.
1. You shouldn't be advertising all these services on your main domain, let alone on the standard/well known ports. Get them to listen on a sub-domain on non-conventional ports.
2. Although, I will give you credit for this. Public/Private key 2-factor auth is good. :) - You could go one step further and make sysadmins log into a VPN service and only allow hosts on the VPN subnet to connect.
3. You're using FTP, which is completely unencrypted, switch to FTP over SSL. Also, the system log on banner is advertising that you're running Pure-FTPd. If I was a malicious uB3r Hax0r. I would be searching public CVE vulnerability lists to see if there are any known exploits for this.
4. Why is your server listening on 143 when your IMAP service doesn't allow authentication over plaintext? You have an IMAPS service running on here!
I could go on and on and on... - But I'd rather this stuff get addressed first.
This page is a permanent link to the reply below and its nested replies. See all post replies »
