[Mailman-Users] [Suspected Spam]Re: Brute force attacks on mailman web ui

[Stephen J. Turnbull]

tlhackque writes:

 > So you know exactly who your users are, and can pre-register them
 > while they are not in China.

No.  China may, or may not, block any given email provider without
warning.  They may need to provide a new address *from that address*
(or their mother's, which I also don't know).

If I can figure out how they can use X.509 auth with mail or thru the
web, that will do the trick for authentication, of course.  I might
use fwknop to conceal authenticated services.

 > Geographic IP address is the wrong hammer for this nail.

Yes, I understand that.  Tell it to Chairman Xi, please.

 > GeoIP will never get you down to the level of granularity and accuracy
 > that you want.

Sure it will.  If I can block 95% of Chinese attempts to connect on
SYN, that's a win.

 > Even if it did, people with phones move - apartment, coffee shop,
 > etc.

Whether that means they'll be out of the geographic area allowed
depends on how the provider allocates IP addresses.

 > And in your scenario, you can block all of China, since you can
 > register your students while they are at your school (which
 > presumably is not in China).

It's not, but no, I'm not sure I can, for the reason given above.

 > So use the registration website to issue an X.509 certificate,
 > register a hardware token, issue fwknop key - whatever you choose
 > as your token (credential).  Then use that token to protect routine
 > access to the mailman web ui AND mail servers.

I know how to issue such things, or can find out.  What I don't know
how to do is enable devices to use them, and whether I can configure
once, or teach students to do it.  I also wonder what Chinese
immigration authorities would think of a fwknop app on an iPhone....

 > Even if you don't have a native MUA, you can provide a web-based e-mail
 > account on your server for your users - e.g. squirrelmail, roundcube,
 > etc.

That's a last resort.  They won't use that account frequently (if at
all), which really counts against it.  I would want something that
they use under normal circumstances that they're used to, and have
some idea how to configure on a new phone, etc.

 > Mobile web browsers certainly support x.509 client auth.

This seems like the route to go, then.  Use a nonstandard port to
screen out the dumbest kiddies, or maybe fwknop.

 > Issue their keys before they go home, and you're done.  Optionally,
 > provide some form of recovery/reissue for the "I lost my phone" case. 

I'm not sanguine about "issue keys and you're done".  There are users
in the loop, and they're not terribly security-savvy.  I'm not saying
it's insanely difficult, but the system would be an unfamiliar one
that is a SPOF.  The recovery/reissue feature wouldn't be optional:
the trips I'd be worrying about would be on location data-gathering
trips.

 > In any case, I think we've probably exhausted the patience of
 > mailman-users since we're off into the general problem of keeping
 > our servers alive in the jungle...

Well, the considerations of dealing with user-hostile environments
like the Great Firewall are pretty special, but the jungle *is*
general.  I.e., it applies to Mailman servers too.  I don't know
anybody who runs a list who doesn't run into abuse from time to time.

Thanks for the ideas and software suggestions!

Steve