[Mailman-Users] [Suspected Spam]Re: Brute force attacks on mailman web ui
Stephen J. Turnbull
stephen at xemacs.org
Sat Apr 21 12:51:58 EDT 2018
> So you know exactly who your users are, and can pre-register them
> while they are not in China.
No. China may, or may not, block any given email provider without
warning. They may need to provide a new address *from that address*
(or their mother's, which I also don't know).
If I can figure out how they can use X.509 auth with mail or thru the
web, that will do the trick for authentication, of course. I might
use fwknop to conceal authenticated services.
> Geographic IP address is the wrong hammer for this nail.
Yes, I understand that. Tell it to Chairman Xi, please.
> GeoIP will never get you down to the level of granularity and accuracy
> that you want.
Sure it will. If I can block 95% of Chinese attempts to connect on
SYN, that's a win.
> Even if it did, people with phones move - apartment, coffee shop,
Whether that means they'll be out of the geographic area allowed
depends on how the provider allocates IP addresses.
> And in your scenario, you can block all of China, since you can
> register your students while they are at your school (which
> presumably is not in China).
It's not, but no, I'm not sure I can, for the reason given above.
> So use the registration website to issue an X.509 certificate,
> register a hardware token, issue fwknop key - whatever you choose
> as your token (credential). Then use that token to protect routine
> access to the mailman web ui AND mail servers.
I know how to issue such things, or can find out. What I don't know
how to do is enable devices to use them, and whether I can configure
once, or teach students to do it. I also wonder what Chinese
immigration authorities would think of a fwknop app on an iPhone....
> Even if you don't have a native MUA, you can provide a web-based e-mail
> account on your server for your users - e.g. squirrelmail, roundcube,
That's a last resort. They won't use that account frequently (if at
all), which really counts against it. I would want something that
they use under normal circumstances that they're used to, and have
some idea how to configure on a new phone, etc.
> Mobile web browsers certainly support x.509 client auth.
This seems like the route to go, then. Use a nonstandard port to
screen out the dumbest kiddies, or maybe fwknop.
> Issue their keys before they go home, and you're done. Optionally,
> provide some form of recovery/reissue for the "I lost my phone" case.
I'm not sanguine about "issue keys and you're done". There are users
in the loop, and they're not terribly security-savvy. I'm not saying
it's insanely difficult, but the system would be an unfamiliar one
that is a SPOF. The recovery/reissue feature wouldn't be optional:
the trips I'd be worrying about would be on location data-gathering
> In any case, I think we've probably exhausted the patience of
> mailman-users since we're off into the general problem of keeping
> our servers alive in the jungle...
Well, the considerations of dealing with user-hostile environments
like the Great Firewall are pretty special, but the jungle *is*
general. I.e., it applies to Mailman servers too. I don't know
anybody who runs a list who doesn't run into abuse from time to time.
Thanks for the ideas and software suggestions!
More information about the Mailman-Users