[Mailman-Users] Mailman Security.

Keith Mastin kmastin at beechtree.ca
Thu Feb 6 23:03:59 CET 2003

>Hi All, 
>I was just wondering what kind of security mailman offers, as far as
>protecting user passwords goes?
>A techy friend of mine has just kindly emailed me a list of all users
>and their passwords! Looking at my server logs it would appear that he
>snuck in somehow via anonymous ftp.
>Would closing the anon. ftp service stop mailman working in anyway, or
>dya reckon he got in some place else?

You have some big problems if this is what happened. Your entire system is 
insecure and ready to be (pl)ucked by anyone who has a little know-how. 
Anonymous ftp should chroot to a specific directory, and if a user can 
logon to anon-ftp and get more info then it is completely set up wrong.

Closing anon-ftp is a must-do first step. Really, you should do a full 
system audit, or preferably format and re-install with all clean user info 
(user/passwd pairs), updated *_everything_* and all programs tightened 
down to paranoid levels. Take it as a lesson in security, and don't let it 
happen again is about the best you can get out of this.

The real concern here is the passwords. They are supposed to be encrypted, 
human-unreadable except by the passwd program OR a *_sniffer_program_*. If 
you're friend was able to get them, so is just about any script-kiddie 
able to.

More information about the Mailman-Users mailing list