User Tools

Site Tools


security_notes

copy UID and shadow passwords from Amber

Let's Encrypt Webalyzer fail2ban

Summary: Archived mail being read by bots, which is not wanted.

In investigating the recent e-mail security breach, I noticed the
entire discuss list archive being read by bots, probably including
e-mail address harvesting for spammer use. This in spite of us
thinking this had been blocked by password authentication to
prevent this. Apparently they found a back door that we missed.

Summary: One back door path into archives blocked, the other pending.

Longer summary: Apache configuration for www.stlwebdev.org is changed to prevent that domain being used to access all mailing lists on www.sluug.org without any password protection. Remaining is to change www.sluug.org to prevent it being used as a back door into www.stlwebdev.org and also block the "htdig" path to bypass security. The change is to block all access by default, on both paths, then allow appropriate access to specific lists. See code below.

The change was to use <LocationMatch> to block all access or require password. This was specific to the Malman "htdig" tool. I don't think there are others, but if any of these are suspect, please investigate.

admin    confirm  edithtml  listinfo  options  rmlist  subscribe
admindb  create   htdig     mmsearch  private  roster

Feel free to test access to the webdev mailing lists works and that access to the SLUUG lists are now blocked when using "stlwebdev.org". If you can find any other access holes that need to be plugged, speak up. Attempting access to unauthorized lists results in a 403 error, which isn't very friendly, but normal users shouldn't find these URLs to receive the error anyway. More friendly would be to redirect to an error page with descriptive text.

Note that the configuration for "sluug.org" hasn't been changed yet, so there are still access holes through that domain.

Original "htdig" problem: Part of the problem with this security, at least for some humans, seems to be that every archived list posting has two URLs, one for pipermail/mailman and the other for mailman/htdig. I don't think we had that with Majordomo/MHonArc. It appears mailman does mail distribution, pipermail WAS the default archiver provided with mailman, and htdig is independent. According to Wikipedia, the mail archiver for mailman has changed from pipermail to hyperkitty.

  https://en.wikipedia.org/wiki/GNU_Mailman

Newly discovered problem: Oops, not two URLs, but four (not counting https, which doesn't matter for this). That is why I was able to access "stlwebdev" list postings via "sluug.org" domain. They are protected via "stlwebdev.org", but not "sluug.org". And the reverse, SLUUG lists are protected via "sluug.org", but not via "stlwebdev.org".

Originally no authentication needed, now denied completely:

  http://www.stlwebdev.org/pipermail/sysadmin/2018-May/008960.html
  http://www.stlwebdev.org/mailman/htdig/sysadmin/2018-May/008960.html
  http://www.stlwebdev.org/pipermail/sysadmin/2018-May/
  http://www.stlwebdev.org/mailman/htdig/sysadmin/2018-May/
  http://www.stlwebdev.org/pipermail/sysadmin/
  http://www.stlwebdev.org/mailman/htdig/sysadmin/

Password authentication needed before and still needed:

  http://www.stlwebdev.org/pipermail/stlwebdev/
  http://www.stlwebdev.org/pipermail/stlwebdev-announce/
  http://www.stlwebdev.org/pipermail/stlwebdev-announce/2009/date.html
  http://www.stlwebdev.org/pipermail/stlwebdev-announce/2009/000002.html

Fails when using https, because https not configured:

  https://www.stlwebdev.org/pipermail/stlwebdev/
      Fails with: Site does not exist on this server!!!
  https://www.stlwebdev.org/
      Fails with: You don't have permission to access / on this server
  https://webdev.sluug.org/
      Fails with: You don't have permission to access / on this server

Since all domains and aliases end up in a single log file, in is nearly impossible to tell which domain is used to retrieve many URLs (files), such as "/", that are common to more than one domain.

  Mike Knight
  
security_notes.txt · Last modified: 2018/06/07 10:39 by SLUUG Administration