> Actually he did it this way: > > Noticed that mydomain/mailman was browsable. > > Telneted to port 80 and sent a get request from there...ouch.
I do not have Telnet loaded on any of my systems, and I use tcp_wrappers to tightly control which remote sites can access any sites via ftp or secure_shell. Every day the logwatch report show many, many sites that attempted to access the various systems, but were rejected by tcp_wrapper. I don't leave any system open with the default configuration and module loads. > > Sorting that now > > Dino > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > John Buttery > Sent: 05 February 2003 11:27 > To: 'Mailman users Mailing list' > Subject: Re: [Mailman-Users] Mailman Security. > > > * dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -0000]: >> I was just wondering what kind of security mailman offers, as far as >> protecting user passwords goes? > > Pretty much none. It emails them cleartext once a month, for > starters. The list signup page explicitly instructs subscribers not to > use important passwords (even in bold!). The intent of the password > system in Mailman (this is my interpretation, not backed up with any > actual information) is to protect against malicious [un]subscriptions of > others by casual idiots on the Net, not against determined attackers. > >> A techy friend of mine has just kindly emailed me a list of all users >> and their passwords! Looking at my server logs it would appear that he > >> snuck in somehow via anonymous ftp. > > Then you have an incorrectly installed/configured/patched ftp server > problem, not a mailman problem. :) > >> Would closing the anon. ftp service stop mailman working in anyway, or > >> dya reckon he got in some place else? > > I don't see why stopping an ftpd would affect mailman... > > -- > ------------------------------------------------------------------------ > John Buttery > (Web page temporarily unavailable) > ------------------------------------------------------------------------ > > ------------------------------------------------------ > Mailman-Users mailing list > [EMAIL PROTECTED] > http://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py > Searchable Archives: > http://www.mail-archive.com/mailman-users%40python.org/ > > This message was sent to: [EMAIL PROTECTED] > Unsubscribe or change your options at > http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net > > > ------------------------------------------------------ > Mailman-Users mailing list > [EMAIL PROTECTED] > http://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py > Searchable Archives: > http://www.mail-archive.com/mailman-users%40python.org/ > > This message was sent to: [EMAIL PROTECTED] > Unsubscribe or change your options at > http://mail.python.org/mailman/options/mailman-users/lhansfor%40lch-assoc.com ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: archive@jab.org Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
