Open nomandera opened 9 years ago
JoshData
commented
9 years ago The admin pages have:
<meta name="robots" content="noindex, nofollow">And so I don't believe they appear in search engines. And there's really a limit to how hidden it can be --- the source code of the HTML page will easily give it away.
More of a problem could be the default index.html page shipped for the root path.
nomandera
commented
9 years ago I perhaps chose a bad example using google as they will generally honor robots.txt and your example above but there are as many that will simply ignore this "honor system" scrape setting.
Setting a nginx HTTP basic password would be an ideal solution but from a user point of view it is ugly and not supportable i.e. two passwords.
I agree that there is a limit to how hidden it can be but I think we have some room left to make it less obvious.
nomandera
commented
9 years ago Another one for consideration
220 box.domain.com ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
I am not sure what value there is in telling everyone this?
ghost
commented
9 years ago I personally have my mail server connected to an OpenVPN Server and have SSH, the Admin GUI and everything other than ports 25, 993 and 587 inaccessible to the public. I know it isn't officially supported but the installation of OpenVPN and some simple UFW rules are so easily revertable that I can't see it causing any issues at all.
Currently to identify the system as Mail in A box a user simply has to browse to the admin GUI.
Even without any credentials this means anyone can trivially identify the system as MIAB.
This also opens the door for google mining MIAB installed servers.
Cosmetically it is less attractive but until a user is logged in the web GUI would ideally be generic and unidentifiable