[Mailman-Users] Brute force attacks on mailman web ui
Rich Kulawiec
rsk at gsp.org
Tue Apr 17 10:20:13 EDT 2018
On Mon, Apr 16, 2018 at 02:05:35PM -0400, tlhackque via Mailman-Users wrote:
> Good advice.??? But use httpS: (and make sure the UA validates the server
> certificate).
> Unless you fancy experimenting with DOS attacks.
Yep. You're exactly right.
> But the biggest source of attacks, by far, is the US.??? Unfortunately,
> while some people run business that don't interact with the US, in most
> cases a non-country based approach is necessary for that :-)
Yes. There's no question that the US is a huge source of attacks, and
if I were running a mailing list for birdwatchers in Australia, I'd
seriously consider blocking it. But you're right, that bumps into
all kinds of hosting/infrastructure issues and so blocking the whole
country will likely have unpleasant side effects.
> https://github.com/tlhackque/BlockCountries
> A new release that provides better management is overdue -- but
> hopefully soon.
That...is cool. Thanks for the pointer.
> The best defense for ssh is to configure it for certificate
> authentication only.
>The script kiddies will make their 10,000 login attempts [...]
True, but I find the clutter in logs annoying. ;) So in situations
where I know a priori that a valid login attempt will never originate
from an operation, I just firewall it and let them eat dropped packets.
> [I'm not kidding; I do see lists of 10K+ attempts from "adam adam",
> "adam password" thru "zeke password" "zeke zeke"...]
I stood up a new server last fall with *no* valid ssh access and logged
about 750,000 attempts in a month. Similar patterns.
> If you keep up your lists of cloud services' network blocks & have them
> on a publicly accessible
> website, I'll add them to my list of optional block lists.??? (Hopefully
> you use a standard format - e.g.
> ipaddress[/netmask or length] with # or ; comments...)
I keep them in CIDR<tab>network-name but honestly I'm not diligent
enough about maintaining them. As a result, they're always under-inclusive
(very rarely over-inclusive). That works for what I use them for, but
I'm hesitant to inflict my laziness on others. Let me see if I can
locate someone who's doing a better job than I am.
---rsk
More information about the Mailman-Users
mailing list