Forum OpenACS Q&A: Response to How much time does it takes to set up bboard from scratch

In my estimation, if nmap shows only port 80 and possibly 443, you're fairly safe. That leaves a couple of areas for intrusion. The web server and the scripts on the web server.

OpenACS 3.2.5 has at least one security hole and possibly others. (My patch helps with that https://openacs.org/sdm/one-patch.tcl?patch_id=35)
AOLServer 3.2 has one known potential security hole. Upgrading or patching will take care of that.

However, there are lot more things that can be done to secure your server. How far you should go probably relates to the sensitivity of your data and how willing you are to start over if your security is breached.