[Mailman-Users] Brute force attacks on mailman web ui

Lindsay Haisley fmouse at fmp.com
Mon Apr 16 14:29:55 EDT 2018

On Mon, 2018-04-16 at 11:06 -0700, Mark Sapiro wrote:
> On 04/16/2018 10:45 AM, Lindsay Haisley wrote:
>> > Apache will log the access, with IP addresse, but to the best of my
> > knowledge it won't log a Web UI login failure since this is an internal
> > matter for Mailman.
> As I said in my prior reply,

Sorry, Mark. I've been running about and missed your reply.

>  all Mailman login failures return a 401
> status. Just look in the Apache logs for Mailman URLs with a 401 status.

In which case, fail2ban should be able to parse these from log files
quite reliably. It's a very effective security tool which parses log
files of your choice, looking for strings (by regular expression) of
your choice, and writes rules to the system firewall (via iptables in
the case of Linux). Your challenge with fail2ban is writing the search
rules. fail2ban allows very flexible criteria for determining what
constitutes an attack, how long a blocking rules should last, etc. I
use it for many kinds of attacks and probes such as ssh brute force
attacks, Apache attempts to access non-existent pages, WordPress login
failures (via the "Fail2ban Redux" plugin), FTP login failures, and a
couple of others. As along as there's a log file which provides a basic
unique failure string, and an IP address source for the failure,
fail2ban will manage blocking. 

Lindsay Haisley       | "The first casualty when
FMP Computer Services |         war comes is truth."
512-259-1190          |            
http://www.fmp.com    |     -- Hiram W Johnson

More information about the Mailman-Users mailing list