I am working on a MailMan implementation using Fedora 12. I have it set up and running but I was looking at what happens if someone tries to brute force a password on the web GUI and found that MailMan doesn't log these errors at all or I'm completely looking in the wrong place. I have tried both /var/log/httpd and /var/log/mailman and didn't see any authentication errors. I have also tried bumping up the Apache log level and still didn't see anything. I was wondering if there was a way to turn this type of logging on or if there was any other way to be notified about it. Thanks.
Asked
Active
Viewed 177 times
1 Answers
1
No, MailMan will not log brute force attacks. It will actually not log any errors except python execution errors. It will also not log into Apache error log, as it is not in any way shape or form related to Apache.
In addition to that, Mailman password handling is NOT secure. All passwords are saved as clear text in config.pck, and while you can't view that file with any text editor, the dump utility that comes with MailMan would display it in a clear text, so make sure you tell your users NOT to use secure passwords.
MailMan passwords are not meant to be terribly secure, as there are many other ways you could gain access to the emails and archives. If someone really wants to access your MailMan installation they will do so, and the brute force password detection will not stop them
solefald
- 2,301
- 15
- 14