Logging failed Admin logins [SEC=UNCLASSIFIED]
Hi All,
I'm looking for a way to prevent the Mailman Admin login from getting bruted. I was thinking that I can set fail2ban to watch the logfiles and trigger an event after a certain number of failed logins from the same IP address, within a specified time period.
I've had a look through the Mailman log files and can't see that Mailman writes anywhere for failed login attempts (to the Admin page).
It seems that the best that can be done at the moment is to guess it from the POST entries in the Apache logs.
Even there, a failed login just reloads the page and generates an Apache '200' (Okay) entry for the request.
All I can think of at the moment is to hack the Mailman code so a failed login attempt sends the user to a new page rather than just reload the page.
We could then tell fail2ban to watch the Apache access logs for records of those requests and trigger events off those.
But that seems a bit untidy, and very 'unMailman' like.
Does anyone have a suggestion for logging the time and IP address of failed login attempts?
Best, Mark Dale
IMPORTANT: This message, and any attachments to it, contains information that is confidential and may also be the subject of legal professional or other privilege. If you are not the intended recipient of this message, you must not review, copy, disseminate or disclose its contents to any other party or take action in reliance of any material contained within it. If you have received this message in error, please notify the sender immediately by return email informing them of the mistake and delete all copies of the message from your computer system.
Dale, Mark wrote:
I've had a look through the Mailman log files and can't see that Mailman writes anywhere for failed login attempts (to the Admin page).
Correct.
It seems that the best that can be done at the moment is to guess it from the POST entries in the Apache logs.
Even there, a failed login just reloads the page and generates an Apache '200' (Okay) entry for the request.
Since Mailman 2.1.14, a login failure generates a 401. This should be enough for a fail2ban regexp to identify these failures.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On May 21, 2012, at 12:21 AM, Dale, Mark wrote:
I'm looking for a way to prevent the Mailman Admin login from getting bruted. I was thinking that I can set fail2ban to watch the logfiles and trigger an event after a certain number of failed logins from the same IP address, within a specified time period.
Keep in mind that if you have a reverse proxy for your web server (or maybe a firewall that does that kind of function for you), then all connections will seem to be coming from that IP address -- you're not going to want to put that in your fail2ban list.
Customers at larger providers may be going through a proxy at their end, too -- again, banning by IP address can block a large number of people.
I've used fail2ban, it's got some good features, but you do need to be aware of its weaknesses when you're designing the rules.
-- Brad Knowles brad@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu
participants (3)
-
Brad Knowles
-
Dale, Mark
-
Mark Sapiro