[Mailman-Users] How do I run 2.x mailman more securely?

incoming-pythonlists at rjl.com incoming-pythonlists at rjl.com
Thu May 31 20:37:46 EDT 2018 

On 05/31/2018 11:25 AM, Grant Taylor via Mailman-Users wrote:
> I feel like I'm missing something and as such have some questions.
>
> On 05/31/2018 11:42 AM, incoming-pythonlists at rjl.com wrote:
>> Depending on where your users are coming from, it might be easier to
>> limit access to the GUI using a firewall.
>
> Why are you using a firewall instead of leveraging the web server's
> ability to filter by IP?

Both are valid alternatives.  There may be performance advantages, to
stopping attacks at the firewall level instead of higher up in the
application stack.

>
>> What I do, is to run the mailman GUI on a non-standard https port.
>
> Okay.  (Additional) security through obscurity.  Sure.  I do similar
> with various things.

No, this is not security through obscurity.  It runs on a different port
so I can add firewall rules that effect only mailman service and not
other web applications.

>
>> I then create webserver URL rewrites that redirect url access to that
>> port.
>
> Why?  I feel like this voids hiding the Mailman Web UI on an alternate
> port?

I need to give my users a url that they can easily remember.  It's too
complex to have to give them urls with port numbers in them, and since
this is not security through obscurity, it is not a problem.

>
>> I use my firewall (IPTABLES), to control who can access the GUI.  If
>> all of your users come from a LAN inside an office, you can easily
>> restrict access to only those on the LAN.
>
> Or is this purely so that you can protect the Mailman Web UI via the
> firewall without impacting other web resources running on the default
> ports?

yes

>
>> I've also used thing like GEOIP, and other tools to limit access to
>> specific countries or specific geographic areas or specific service
>> providers.  Alot of attacks come from outside countries and limiting
>> access substantially reduces attacks on my servers.
>
> I've not messed with GeoIP filters in a long time.  I don't know how
> IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP
> feature set.

There are many ways to implement the same thing.  Before there were
modules in the kernel for this, I simply pulled lists of address blocks
out of databases and incorporated them into my IPtables lists.  There
are better tools to do this today.
>
>> You could also require users to use a VPN or fwknop in order to access
>> the GUI.  This is easy if your users already access your site over a
>> VPN.
>
> I can see a VPN for corporate users.  I think it's a high bar for most
> public mailing lists.  Maybe not for the (few) administrator(s).
>
> I feel like port knocking is a REALLY HIGH BAR for most public mailing
> lists.

It was unclear from the OPs initial posting whether it was a private or
a public mailing list.  What I describe here probably would not be
appropriate for a public list and the best solution there is probably to
upgrade to mailman 3 if they need a more secure interface that is wide
open to the public.  VPN and/or fwknop (which is primarily SPA though
the older port knocking is still supported) are more suitable if you
have a private list where user membership must be approved anyway and
your moderators and admins might use these tools to have access to
mailman, but the web GUI would be blocked from public access.

Certainly adding web server based username authentication sounds pretty
cumbersome to me because users would have to login twice, though from a
security standpoint it would help protect from vulnerabilities in the
mailman web GUI.

There's no one answer to solving these problems.  I'm only sharing ideas
that have worked for me.  The less of the public Internet that can apply
brute force attacks on your web interface, the less likely you are to
have a compromise.  Also, the less junk in your log files, the easier it
is to monitor the logs.

I plan to go to mailman 3, but in the meantime I have minimal issues
with attacks on my mailman GUI.  Maybe not the perfect solution for
everyone, but it is effective.

Nataraj

>
>
>
>
>
>
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/incoming-pythonlists%40rjl.com

More information about the Mailman-Users mailing list