[Mailman-Users] Brute force attacks on mailman web ui

Thu Apr 19 12:50:59 EDT 2018

On 19-Apr-18 02:46, Stephen J. Turnbull wrote:
> So here's my problem.  A lot of my constituency resides in CN,
> occasionally including people at frequently problematic domains like
> 163.com.  Do you know any resources (or keywords to start googling
> even!) at subnational levels?  KR and CN breakdowns would be most
> useful to me; breakdowns for RU and former USSR would be appreciated
> by many of my colleagues.
>
I'm not sure what you are looking for.

Blocking by geography is a very crude tool - it turns out to be useful
in that many hosts serve limited geographies, and it's pretty easy to
identify countries that generate a lot of "bad" traffic.  E.g. RU & CN
are widely believed to support intrusions by (pseudo/)government actors,
and rarely prosecute. 

As you discovered, below that level, you need to use other tools.

There are a number of geolocating services that attempt to turn IP
addresses into specific locations; for example maxmind offers a series
of databases of increasing precision for increasing prices (starting
with free).

You can use these databases with your webserver (e.g. apache mod_geoip)
and name server (BIND for sure).  There is also a GeoIP module for
iptables.  (I use (and maintain) BlockCountries because it is more
flexible and easier to use. YMMV).

But the problem is that unless you know exactly where your users (and
potential users) are located, this won't help.  Do you have a list of
cities?  Streets?  I don't think that the criminal element has easily
identifiable geographies.

What you probably want is to identify the specific bad actors; for that
the spamhaus and other "block lists" ("RBL") are helpful.  Most of these
are distributed via DNS - which means that they aren't practical for
firewalls.  You can configure your email server (e.g. sendmail/postfix)
to use them.  But this happens inside your firewall.  These lists are
fairly well curated, but certainly aren't perfect.

As previously noted, fail2ban is one reactive means of dealing with
these - it reads log files and dynamically blocks IP addresses that
generate errors.  It can be resource intensive, especially if you want a
reasonably fast reaction time.  And specifying bad behavior is somewhat
of an art.

One option is to provide a website for registering your users, then
allow them access via some convenient token.    A Captcha will help to
reduce fraudulent registrations.  E.g., if they have a static IP
address, register that.  Or provide a VPN (with just your web or email
server as an endpoint).  Or use X.509 client authentication  - note that
you can use this with your mailserver.  For this purpose, you want your
own CA for X.509.  You can revoke abused tokens.  If your community is
small (or willing to pay), you can look at hardware tokens, such a yubikey.

That will work if you have a reasonably sized community - and people
really want to use your service.  However, if you're trying to attract
people who don't know if they are interested, the cost of connecting
with you would probably turn many away.

It's a balancing act, and your business (community, etc) needs will
determine what is best for you.

Note that I'm not exclusively endorsing any of the products/services
mentioned - there are alternatives, and you need to evaluate what each
offers against your needs.

Unfortunately, there's no universal answer.

Good luck.