[Vtigercrm-developers] Security?
Zebra Hosting
support at zebrahosting.eu
Tue Jul 1 08:35:42 GMT 2014
Alan,
2. Yes you can work around the admin issue but it should not be hardcoded
in the installer.
3. Not much but everything helps. If a security hole has been found and
published it is easier to do a search on ³tiger² & ³6.0² if all details
are published. Agree it is minor but still. Same reason I don¹t show the
generator meta tag in websites sources.
4. Agreed but don¹t forget all those people installing the CRM on public
(web)servers.
5. Block them from accessing the login form and yes to all web forms,
portal etc.
6. See 4. I can¹t expect all my users to use VPN. Curious how often that
is used here.
Bastiaan Houtkooper
Zebra Hosting
On 01-07-14 10:12, "Alan Lord" <alanslists at gmail.com> wrote:
>On 01/07/14 08:43, Zebra Hosting wrote:
>> Since the CRM is used to store a lot of personal data, I was wondering
>> how secure vTiger is and if there are any extra options we could
>>discuss.
>>
>> Let me start with a few points:
>> 1. At the login I don¹t see something simple as brute force protection.
>
>+1
>
>> 2. The standard admin user cannot be changed, it needs another account
>> and then needs to be deleted. Using standard admin usernames is bad
>> practice.
>
>In 5.4.0 as long as you had another admin user configured and you logged
>in with the new admin users credentials you could remove the default
>"admin" user. Does this not work in 6?
>
>> 3. Having the vTiger name and even the version number at the login
>> screen makes it very easy for hackers .
>
>I don't think this makes much difference frankly.
>
>> 4. It would be nice to have a black/whitelist to restrict access by IP.
>> (yes I know htaccess could be used but I talking about average users)
>
>This should be done at the network level not at the application layer.
>
>> 5. Use the http://www.projecthoneypot.org/ project to ban access at the
>> gate for spammers. (Works so very well in Joomla, I don¹t need to use
>> captcha¹s anymore )
>
>vtiger doesn't really have a public "form" as such so I don't see the
>need for this? Maybe for the Customer Portal yes?
>
>> 6. Big warning in the installer to use https:// to encrypt the
>> loginscreen pw.
>
>This would only really be required if the CRM is visible from the
>Internet without going through a VPN surely?
>
>> 7. Minimum password length/complexity
>
>+1
>
>Al
>
>
>_______________________________________________
>http://www.vtiger.com/
More information about the vtigercrm-developers
mailing list