[Mailman-Users] HTTP_X_FORWARDED_FOR logging support

Jim Popovitch jimpop at gmail.com
Tue Jun 23 14:31:44 CEST 2015

On Tue, Jun 23, 2015 at 2:31 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Jim Popovitch writes:
>  > For the purpose of something like fail2ban all that is needed is
>  > the IPaddr.  Having all the others would be a "nice to have", but
>  > would really drive up the patch size.
> From 10 lines to 20?  I'd be more worried about the size of message or
> msgdata objects.

My concern was introducing the smallest change necessary.  I have a
pet-peeve about unnecessarily large code changes to mature software.

>  > REMOTE_HOST is subject to swift changes, whereas REMOTE_ADDR is what
>  > actually connected to the server.  One you can bank on, the other is
>  > always suspect, imo.
> Sure, and that's precisely why I'd want both.  Rapid changes of
> REMOTE_HOST associated with the same REMOTE_ADDR would be a pretty
> clear sign that something bad is going on.

Well, the log messages ("Login failure", "Malformed path") indicates
that something bad is occurring, at that point I presume a fail2ban
block should take over.  And just incase it's not clear, the IP I
would want to block is the one connecting to my servers, even if that
IP is some other proxied proxy^2.   I don't mean to sound like an
asshat but I could care less about what the remote system uses for any
rDNS when they are attempting malicious things on my servers.

> On the other hand, bad guys typically have access to a bunch of IP
> addresses if they need them.  I don't think REMOTE_ADDR is necessarily
> all that good a way to identify a miscreant.

True, but it's a perfect way to block the miscreant's vector.   The
same issues exist elsewhere on the web, you block what you can based
on any reliable data you have. :-)

-Jim P.

More information about the Mailman-Users mailing list