[SAC] [OSGeo] #2463: geoserver-security under sustained access request attack

#2463: geoserver-security under sustained access request attack
---------------------------+-----------------------
Reporter: jive | Owner: sac@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Keywords:
---------------------------+-----------------------
In the past couple of days we are getting emails sent to `geoserver-
security-owner@lists.osgeo.org` of dummy accounts trying to subscribe.

Is there any way to turn off subscription requests, and manually manage
the limited list of members?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: sac@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by jive):

Anything we can do here? Can we take this list private ...

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:1&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: sac@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by strk):

The mailing list owner, I think, can do that from the admin panel

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:2&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Changes (by wildintellect):

* owner: sac@… => jsanz
* component: Systems Admin => Mailing Lists

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:3&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by jsanz):

Options for admins are available at

https://lists.osgeo.org/mailman/admin/geoserver-security/privacy

You can remove the list from being advertised in the mailman lists
frontpage, and maybe you can also add the confirm step, but as far as I
know there isn't a way to fully remove the subscription procedure and move
mailman to an "invitation-only" workflow.

Please let me know if you want me to change those settings for you.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:4&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by strk):

I found an old thread saying this is NOT possible with Mailman
(to confirm what jsanz is saying):
https://mail.python.org/pipermail/mailman-users/2010-September/070226.html

As this was 10 years ago I wonder if things changed...

Anyway, it's a python software, maybe we can implement that change.
Pythonists reading this ?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:5&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by strk):

Another option seems to be tweaking the subscription template:
https://mail.python.org/pipermail/mailman-users/2005-October/047223.html

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:6&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by jsanz):

Also, worth noting that you can add regular expressions to the ban list to
entirely remove email domains.

https://lists.osgeo.org/mailman/admin/geoserver-
security/?VARHELP=privacy/subscribing/ban_list

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:7&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------
Changes (by jive):

* Attachment "many.png" added.

many.png

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by jive):

Please see attachment, we are getting hundreds of these subscription
requests a week.

Is this mailing list just unlucky, or are others also under sustained
attack.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:8&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by jive):

From Jukka:

> Filtering the incoming mails coming from geoserver-security list mainly
hides the issue that we have with the subscription spam. Could it be
possible to add recaptcha or anything to stop at least most subscription
requests from a robot that some friendly people has obviously hired? The
list seems to be handled by mailman and I found some links that feel
relevant, like https://www.dragonsreach.it/2018/02/26/adding-recaptcha-v2
-support-mailman/.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:9&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
---------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mailing Lists | Resolution:
Keywords: |
---------------------------+------------------------

Comment (by neteler):

FYI, this mess also affects other lists: stolen email addresses seem to be
registered and their respective owners complain about unsolicited
subscription to the list managers (incl. me).

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:10&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
-----------------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: Mails & Mailing Lists | Resolution:
Keywords: |
-----------------------------------+------------------------
Comment (by robe):

Is this still an issue? I know we've made several upgrades but we haven't
put in recaptcha.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:11&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

#2463: geoserver-security under sustained access request attack
-----------------------------------+------------------------
Reporter: jive | Owner: jsanz
     Type: task | Status: closed
Priority: normal | Milestone: Unplanned
Component: Mails & Mailing Lists | Resolution: fixed
Keywords: |
-----------------------------------+------------------------
Changes (by cvvergara):

* status: new => closed
* resolution: => fixed

Comment:

Was told by @jive that it can be closed
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2463#comment:12&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.