Re: [Mailman-Users] Mod_Security
On 08/01/2018 09:43 AM, Bernie Cosell wrote: > And I tried my program on the Bluehost version and I was greeted with > > Not Acceptable!Not > Acceptable!An appropriate representation of the requested > resource could not be found on this server. This error was generated by > Mod_Security.< mod_security is an Apache webserver module that has a complex ruleset used to examine every request and response. It attempts to detect and prevent malicious activity. Doc on https://www.modsecurity.org. It is not uncommon for form submissions to run afoul of mod_security rules. Typically, there are cases where data is encoded in ways that appear to be hiding something - e.g. %-encoding urls or POST data where it's not necessary, excessively long URLs or large POSTs - and so on. There's a pretty large list. Most are regex s applied at various stages of request processing; some are based on things like request size. Some are rules that assume a pretty dumb web service; where you know that Mailman can cope with constructs/sizes/encodings, you're expected to disable those rules on the URLs that it serves. There will be logs on the server that specify exactly what rule was tripped, it's id, and the suspect input. Then there are three courses of action possible: o The rule can be disabled by ID in the webserver config, for the specific mailman POST URL (or globally, but that's not smart). It's also possible to completely disable mod_security for a URL or vhost - but that's also not advisable. o Mailman can be changed to not require input that trips the rule. o Your client can be changed not to generate input that trips the rule. You will need help from someone with admin privs to at least share the logs, if not make adjustments to the mod_security configuration. Like any protective filter, it takes some thought and analysis to make the right changes. That is the change that allows what you want, but doesn't open an unintended attack surface. In my experience, these issues are never caused by just one rule - if an application trips one, waiving or fixing it will only get you to the next one. It can take a while to get to a workable ruleset. It is generally worth the trouble, as mod_security is effective at protecting against quite a few exploits. It does take a while to learn how it works and how to teach it how to stay out of your way. There are two things likely to be changed on the server end: The webserver config file that will include directives to disable specific rules on particular URLs. And possibly a set of customized rule overrides for Mailman. (These can go in separate files that are dropped in the rules directory.) Once that's done, sharing the result with the MM community would save others a lot of repeat effort. Good hunting. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mod_Security
On 1 Aug 2018 at 17:30, Andrew Hodgson wrote: > Can you provide steps of how you set up Mailman on the different > providers since it looks like you are using some type of packaged or > managed service which is providing features that are not part of the > stock Mailman and may get in the way of what you are trying to do. It > is difficult to provide support on here especially if there are other > modules being used to provide extra site protection etc. I have no way to determine that -- I'm just a user with no admin privs, so I can't actually look at the mailman installation -- all I can do is try to use it /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mod_Security
On 08/01/2018 09:43 AM, Bernie Cosell wrote: > > And I tried my program on the Bluehost version and I was greeted with > > Not Acceptable!Not > Acceptable!An appropriate representation of the requested > resource could not be found on this server. This error was generated by > Mod_Security.< This definitely looks like something in the web server at Bluehost rejecting your POST before it ever gets to Mailman. Mod_Security is a web server firewall. Does Bluehost require HTTPS and if so, are you POSTing via HTTPS? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mod_Security
Hi, Can you provide steps of how you set up Mailman on the different providers since it looks like you are using some type of packaged or managed service which is providing features that are not part of the stock Mailman and may get in the way of what you are trying to do. It is difficult to provide support on here especially if there are other modules being used to provide extra site protection etc. Andrew. -Original Message- From: Mailman-Users On Behalf Of Bernie Cosell Sent: 01 August 2018 17:44 To: mailman-users@python.org Subject: [Mailman-Users] Mod_Security I'm still working on the auto-submission stuff. I set up another test mailing list, this one on Bluehost. First, I compared the HTML of the members/unsubscribe page and they are *identical* [except for having different URLs for the links to the various pages]. And I tried my program on the Bluehost version and I was greeted with Not Acceptable!Not Acceptable!An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.< OK, next step is to do a complete packet-capture of the transactions with Dreamhost and wireshark it to see what is strange versus what my program is doing... and mailman's forms seemed so simple...:o) /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/andrew%40hodgson.io -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Mod_Security
I'm still working on the auto-submission stuff. I set up another test mailing list, this one on Bluehost. First, I compared the HTML of the members/unsubscribe page and they are *identical* [except for having different URLs for the links to the various pages]. And I tried my program on the Bluehost version and I was greeted with Not Acceptable!Not Acceptable!An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.< OK, next step is to do a complete packet-capture of the transactions with Dreamhost and wireshark it to see what is strange versus what my program is doing... and mailman's forms seemed so simple...:o) /b\ Bernie Cosell ber...@fantasyfarm.com -- Too many people; too few sheep -- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org