[Mailman-Users] Brute force attacks on mailman web ui

Rich Kulawiec rsk at gsp.org
Tue Apr 17 10:20:13 EDT 2018 

On Mon, Apr 16, 2018 at 02:05:35PM -0400, tlhackque via Mailman-Users wrote:
> Good advice.??? But use httpS: (and make sure the UA validates the server
> certificate).
> Unless you fancy experimenting with DOS attacks.

Yep.  You're exactly right.

> But the biggest source of attacks, by far, is the US.??? Unfortunately,
> while some people run business that don't interact with the US, in most
> cases a non-country based approach is necessary for that :-)

Yes.  There's no question that the US is a huge source of attacks, and
if I were running a mailing list for birdwatchers in Australia, I'd
seriously consider blocking it.  But you're right, that bumps into
all kinds of hosting/infrastructure issues and so blocking the whole
country will likely have unpleasant side effects.

> https://github.com/tlhackque/BlockCountries
> A new release that provides better management is overdue -- but
> hopefully soon.

That...is cool.  Thanks for the pointer.

> The best defense for ssh is to configure it for certificate
> authentication only.
>The script kiddies will make their 10,000 login attempts [...]

True, but I find the clutter in logs annoying. ;)  So in situations
where I know a priori that a valid login attempt will never originate
from an operation, I just firewall it and let them eat dropped packets.

> [I'm not kidding; I do see lists of 10K+ attempts from "adam adam",
> "adam password" thru "zeke password" "zeke zeke"...]

I stood up a new server last fall with *no* valid ssh access and logged
about 750,000 attempts in a month.   Similar patterns.

> If you keep up your lists of cloud services' network blocks & have them
> on a publicly accessible
> website, I'll add them to my list of optional block lists.??? (Hopefully
> you use a standard format - e.g.
> ipaddress[/netmask or length] with # or ; comments...)

I keep them in CIDR<tab>network-name but honestly I'm not diligent
enough about maintaining them.  As a result, they're always under-inclusive
(very rarely over-inclusive).  That works for what I use them for, but
I'm hesitant to inflict my laziness on others.  Let me see if I can
locate someone who's doing a better job than I am.

---rsk

More information about the Mailman-Users mailing list