[TriLUG] Protecting from SSL Vulnerabilities - iFolder

[Ron Kelley]

Greetings all,

I am in the process of rolling out Novell's "iFolder" app
(http://ifolder.com/ifolder) on a machine in the data center.  iFolder
is a free version of DropBox and includes the server code as well as
Linux, Mac, and Windows clients.  Essentially, the end-user simply has
a folder on his desktop with contents that stay in sync with the
server.   If anything changes locally, the server automatically gets
updated.  The beauty of iFolder (and similar paid/free apps) is the
ability to have shared folders with other people and keep multiple
machines in sync.  Plus, I don't have to pay for storage costs, and I
keep all my data *private*.   After playing with it for a couple of
days, I am satisfied with the reliability and stability of the app.
Very cool!

I was able to get a VMWare appliance version (based upon OpenSUSE vers
11.1) installed and running in short order.  The server-side runs
openSUSE v11.1 with apache v2.2.10 and communicates with the clients
via SSL (port 443).  Being security conscience, I tried changing the
SSL port to something completely random and also tried using NAT on my
firewall (outside port XXXXX xlates to internal 443).  However, it
appears this software is brain-dead and MUST run on port 443 without
any NAT rules.  Hacking the apache.conf , listen.conf, and vhosts.conf
files have been useless.  Using anything other than port 443 causes
the clients to disconnect or not connect at all.

So my question is -- how vulnerable is apache and SSL when open to the
internet?  Given 443 is a very common port, I can only imagine hackers
routinely pound the snot out of these types of machines.  What can I
do to lock this thing down to limit my exposure?  Since this is a VM,
I have console access and have already disabled sshd.  What else can I
do?  Are there tools I can run to check the security of the server
from the outside?



Thanks for any pointers,

-Ron