[Vtigercrm-developers] Fwd: Re: Security?

[Vic Cekvenich]

-------- Original Message --------
Subject: Re: [Vtigercrm-developers] Security?
Date: Tue, 01 Jul 2014 09:12:15 +0100
From: Alan Lord <alanslists at gmail.com>
Reply-To: vtigercrm-developers at lists.vtigercrm.com
To: vtigercrm-developers at lists.vtigercrm.com

On 01/07/14 08:43, Zebra Hosting wrote:
> Since the CRM is used to store a lot of personal data, I was wondering
> how secure vTiger is and if there are any extra options we could discuss.
>
> Let me start with a few points:
> 1. At the login I don’t see something simple as brute force protection.

+1

> 2. The standard admin user cannot be changed, it needs another account
> and then needs to be deleted. Using standard admin usernames is bad
> practice.

In 5.4.0 as long as you had another admin user configured and you logged 
in with the new admin users credentials you could remove the default 
"admin" user. Does this not work in 6?

> 3. Having the vTiger name and even the version number at the login
> screen makes it very easy for hackers .

I don't think this makes much difference frankly.

> 4. It would be nice to have a black/whitelist to restrict access by IP.
> (yes I know htaccess could be used but I talking about average users)

This should be done at the network level not at the application layer.

> 5. Use the http://www.projecthoneypot.org/ project to ban access at the
> gate for spammers. (Works so very well in Joomla, I don’t need to use
> captcha’s anymore )

vtiger doesn't really have a public "form" as such so I don't see the 
need for this? Maybe for the Customer Portal yes?

> 6. Big warning in the installer to use https:// to encrypt the
> loginscreen pw.

This would only really be required if the CRM is visible from the 
Internet without going through a VPN surely?

> 7. Minimum password length/complexity

+1

Al


_______________________________________________
http://www.vtiger.com/