[Mailman-Users] Brute force attacks on mailman web ui

Thu Apr 19 23:33:32 EDT 2018

tlhackque via Mailman-Users writes:

 > I'm not sure what you are looking for.

I'm looking for anything that will help block swaths of Chinese
spammers and possibly attacks, while allowing me to do a better job of
serving students vacationing at home in China than treating them the
way the Chinese government does.  A unicorn, or failing that, a pony.

 > There are a number of geolocating services that attempt to turn IP
 > addresses into specific locations; for example maxmind offers a series
 > of databases of increasing precision for increasing prices (starting
 > with free).

I'll try their free offering.  Thank you!

 > But the problem is that unless you know exactly where your users (and
 > potential users) are located, this won't help.  Do you have a list of
 > cities?  Streets?

I can frequently get down to the street level for valid users, yes, at
least after first contact.

 > What you probably want is to identify the specific bad actors;

No, I want to identify good actors and block the rest.  The problem
I've had in the past is that I can't depend on static IPs because I'm
dealing with people using telephones, mostly.

 > As previously noted, fail2ban is one reactive means of dealing with
 > these - it reads log files and dynamically blocks IP addresses that
 > generate errors.  It can be resource intensive, especially if you want a
 > reasonably fast reaction time.  And specifying bad behavior is somewhat
 > of an art.

I wouldn't call it art, but a few years ago I had a 1MB .procmailrc. :-)

 > One option is to provide a website for registering your users, then
 > allow them access via some convenient token.

I'm not sure what you're suggesting.  That's what is being attacked
here.

 > Or provide a VPN (with just your web or email server as an
 > endpoint).

I believe the Chinese have outlawed VPNs, I assume they allow TLS
still, though, given the size of ecommerce there.

 > Or use X.509 client authentication  - note that you can use this
 > with your mailserver.

That's an interesting idea, but again my users will be mostly using
phones, so I don't think this will work with mail very well, and I'm
not sure how to set that up on a phone.

 > For this purpose, you want your own CA for X.509.

Sure.

 > However, if you're trying to attract people who don't know if they
 > are interested, the cost of connecting with you would probably turn
 > many away.

The prospect of graduate study outside of China seems to be a strong
motivator so far.  We'll see if it interests people in conforming to
practices that increase my security.

Interesting thoughts, anyway.

Steve