Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: e-smith security?
« previous next »
Pages: [1]   Go Down

e-smith security?

  • 3 Replies
  • 963 Views

Stuart (Perth)

e-smith security?
« on: October 24, 2000, 07:57:47 PM »
If you turn both Telnet and FTP to be accessed privately how can someone "crack" into the e-smith box?  One of the client's employees claims to be able to access the internal network from home :-(

If He can, who wlse can.  I havent seen Him do this nor do I think he has the knowledge to be able to do so.

Any help in this area would be great.

Thank's
Stuart
Logged

Justin

RE: e-smith security?
« Reply #1 on: October 24, 2000, 08:11:22 PM »
If you have added his home IP address to the local networks option then he would be able to use both FTP and Telnet because the server has designated his home address a local network. You may have done this if he needs to use his email from home.

As far as outside intruders being able to access these ports I see it highly unlikely. They may be able to see the ports from the outside but when they try accessing them they will be denied.

I have been blasting my 4.0 server for 6 month's trying to find a way to break the security with no luck. Even a forged packet faking a trusted local network that could get through doesn't help any outside intruders because the reponse would not come back to them.

I have been working with fragrouter to see if I can map an internal network behind e-smith with no public access, watch this forum for results.
Logged

Gordon Rowell

RE: e-smith security?
« Reply #2 on: October 24, 2000, 08:20:25 PM »
Justin wrote:

> [...]
> I have been blasting my 4.0 server for 6 month's trying to find
> a way to break the security with no luck. Even a forged packet
> faking a trusted local network that could get through doesn't
> help any outside intruders because the reponse would not come
> back to them.

Thank you for the support. We do not believe that there are any
vulnerabilities in e-smith. Previous reports have been found to
be due to local modifications and not a weakness in e-smith as
shipped.

> I have been working with fragrouter to see if I can map an
> internal network behind e-smith with no public access, watch
> this forum for results.

We would certainly be interested in the results. However, public
forums are _NOT_ the place to discuss security vulnerabilities
if any are found. You should always alert the vendor (in this case
e-smith) first and give them time to respond and/or correct before
posting to a public forum.

We take security very seriously - if you do find or suspect security
vulnerabilities, please send the information to security@e-smith.com

We investigate security issues as a top priority. As I have said, we
are not aware of any vulnerabilities in unmodified e-smith servers.

Gordon
Logged

Justin

RE: e-smith security?
« Reply #3 on: October 24, 2000, 08:39:51 PM »
Apologies, what I was thinking and actually typing were two different things.

I do not plan on posting the actual results of all this testing to the forum, "results" meaning any techniques or patches to increase the security as a result of the tests.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: e-smith security?