[Mailman-Users] HTTP_X_FORWARDED_FOR logging support
Jim Popovitch
jimpop at gmail.com
Tue Jun 23 14:31:44 CEST 2015
On Tue, Jun 23, 2015 at 2:31 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Jim Popovitch writes:
>
> > For the purpose of something like fail2ban all that is needed is
> > the IPaddr. Having all the others would be a "nice to have", but
> > would really drive up the patch size.
>
> From 10 lines to 20? I'd be more worried about the size of message or
> msgdata objects.
My concern was introducing the smallest change necessary. I have a
pet-peeve about unnecessarily large code changes to mature software.
;-)
> > REMOTE_HOST is subject to swift changes, whereas REMOTE_ADDR is what
> > actually connected to the server. One you can bank on, the other is
> > always suspect, imo.
>
> Sure, and that's precisely why I'd want both. Rapid changes of
> REMOTE_HOST associated with the same REMOTE_ADDR would be a pretty
> clear sign that something bad is going on.
Well, the log messages ("Login failure", "Malformed path") indicates
that something bad is occurring, at that point I presume a fail2ban
block should take over. And just incase it's not clear, the IP I
would want to block is the one connecting to my servers, even if that
IP is some other proxied proxy^2. I don't mean to sound like an
asshat but I could care less about what the remote system uses for any
rDNS when they are attempting malicious things on my servers.
> On the other hand, bad guys typically have access to a bunch of IP
> addresses if they need them. I don't think REMOTE_ADDR is necessarily
> all that good a way to identify a miscreant.
True, but it's a perfect way to block the miscreant's vector. The
same issues exist elsewhere on the web, you block what you can based
on any reliable data you have. :-)
-Jim P.
More information about the Mailman-Users
mailing list