[Mailman-Users] Mailman Security.
lhansfor at lch-assoc.com
lhansfor at lch-assoc.com
Wed Feb 5 18:07:16 CET 2003
> Actually he did it this way:
>
> Noticed that mydomain/mailman was browsable.
>
> Telneted to port 80 and sent a get request from there...ouch.
I do not have Telnet loaded on any of my systems, and I use tcp_wrappers
to tightly control which remote sites can access any sites via ftp or
secure_shell.
Every day the logwatch report show many, many sites that attempted to
access the various systems, but were rejected by tcp_wrapper. I don't
leave any system open with the default configuration and module loads.
>
> Sorting that now
>
> Dino
>
> -----Original Message-----
> From: mailman-users-bounces+dinouk=orange.net at python.org
> [mailto:mailman-users-bounces+dinouk=orange.net at python.org] On Behalf Of
> John Buttery
> Sent: 05 February 2003 11:27
> To: 'Mailman users Mailing list'
> Subject: Re: [Mailman-Users] Mailman Security.
>
>
> * dino <dinouk at orange.net> [2003-02-05 10:32:16 -0000]:
>> I was just wondering what kind of security mailman offers, as far as
>> protecting user passwords goes?
>
> Pretty much none. It emails them cleartext once a month, for
> starters. The list signup page explicitly instructs subscribers not to
> use important passwords (even in bold!). The intent of the password
> system in Mailman (this is my interpretation, not backed up with any
> actual information) is to protect against malicious [un]subscriptions of
> others by casual idiots on the Net, not against determined attackers.
>
>> A techy friend of mine has just kindly emailed me a list of all users
>> and their passwords! Looking at my server logs it would appear that he
>
>> snuck in somehow via anonymous ftp.
>
> Then you have an incorrectly installed/configured/patched ftp server
> problem, not a mailman problem. :)
>
>> Would closing the anon. ftp service stop mailman working in anyway, or
>
>> dya reckon he got in some place else?
>
> I don't see why stopping an ftpd would affect mailman...
>
> --
> ------------------------------------------------------------------------
> John Buttery
> (Web page temporarily unavailable)
> ------------------------------------------------------------------------
>
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
>
> This message was sent to: dinouk at orange.net
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net
>
>
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
>
> This message was sent to: lhansfor at lch-assoc.com
> Unsubscribe or change your options at
> http://mail.python.org/mailman/options/mailman-users/lhansfor%40lch-assoc.com
More information about the Mailman-Users
mailing list