[Mailman-Users] Brute force attacks on mailman web ui
Stephen J. Turnbull
stephen at xemacs.org
Thu Apr 19 23:33:32 EDT 2018
tlhackque via Mailman-Users writes:
> I'm not sure what you are looking for.
I'm looking for anything that will help block swaths of Chinese
spammers and possibly attacks, while allowing me to do a better job of
serving students vacationing at home in China than treating them the
way the Chinese government does. A unicorn, or failing that, a pony.
> There are a number of geolocating services that attempt to turn IP
> addresses into specific locations; for example maxmind offers a series
> of databases of increasing precision for increasing prices (starting
> with free).
I'll try their free offering. Thank you!
> But the problem is that unless you know exactly where your users (and
> potential users) are located, this won't help. Do you have a list of
> cities? Streets?
I can frequently get down to the street level for valid users, yes, at
least after first contact.
> What you probably want is to identify the specific bad actors;
No, I want to identify good actors and block the rest. The problem
I've had in the past is that I can't depend on static IPs because I'm
dealing with people using telephones, mostly.
> As previously noted, fail2ban is one reactive means of dealing with
> these - it reads log files and dynamically blocks IP addresses that
> generate errors. It can be resource intensive, especially if you want a
> reasonably fast reaction time. And specifying bad behavior is somewhat
> of an art.
I wouldn't call it art, but a few years ago I had a 1MB .procmailrc. :-)
> One option is to provide a website for registering your users, then
> allow them access via some convenient token.
I'm not sure what you're suggesting. That's what is being attacked
here.
> Or provide a VPN (with just your web or email server as an
> endpoint).
I believe the Chinese have outlawed VPNs, I assume they allow TLS
still, though, given the size of ecommerce there.
> Or use X.509 client authentication - note that you can use this
> with your mailserver.
That's an interesting idea, but again my users will be mostly using
phones, so I don't think this will work with mail very well, and I'm
not sure how to set that up on a phone.
> For this purpose, you want your own CA for X.509.
Sure.
> However, if you're trying to attract people who don't know if they
> are interested, the cost of connecting with you would probably turn
> many away.
The prospect of graduate study outside of China seems to be a strong
motivator so far. We'll see if it interests people in conforming to
practices that increase my security.
Interesting thoughts, anyway.
Steve
More information about the Mailman-Users
mailing list