On 05/31/2018 06:37 PM, incoming-pythonli...@rjl.com wrote:
Both are valid alternatives. There may be performance advantages,
to stopping attacks at the firewall level instead of higher up in the
application stack.
Agreed, on both accounts.
Firewalls also have a tendency to protect multiple machines, not just
one. (I'm referring to network appliance type firewalls, not host based.)
No, this is not security through obscurity. It runs on a different
port so I can add firewall rules that effect only mailman service and
not other web applications.
Fair enough.
I need to give my users a url that they can easily remember. It's too
complex to have to give them urls with port numbers in them, and since
this is not security through obscurity, it is not a problem.
Fair.
yes
*nod*
There are many ways to implement the same thing. Before there were
modules in the kernel for this, I simply pulled lists of address blocks
out of databases and incorporated them into my IPtables lists. There are
better tools to do this today.
ACK
I'm curious, did you use IPSets or just a rule per network / IP?
It was unclear from the OPs initial posting whether it was a private
or a public mailing list. What I describe here probably would not be
appropriate for a public list and the best solution there is probably to
upgrade to mailman 3 if they need a more secure interface that is wide
open to the public. VPN and/or fwknop (which is primarily SPA though the
older port knocking is still supported) are more suitable if you have
a private list where user membership must be approved anyway and your
moderators and admins might use these tools to have access to mailman,
but the web GUI would be blocked from public access.
Certainly adding web server based username authentication sounds pretty
cumbersome to me because users would have to login twice,
Maybe, maybe not.
I've seen applications that can re-use the web server's authentication
mechanism. This would likely be a code change to Mailman. (I have no
idea how big.)
though from a security standpoint it would help protect from
vulnerabilities in the mailman web GUI.
;-)
There's no one answer to solving these problems. I'm only sharing
ideas that have worked for me. The less of the public Internet that
can apply brute force attacks on your web interface, the less likely
you are to have a compromise. Also, the less junk in your log files,
the easier it is to monitor the logs.
Nope. Hence my interest in what others have done and why the did it.
I'm always interested in observing and hopefully learning.
I plan to go to mailman 3, but in the meantime I have minimal issues with
attacks on my mailman GUI. Maybe not the perfect solution for everyone,
but it is effective.
If it does what you need it to and you feel comfortable maintaining it,
then more power to you.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
