[Vtigercrm-developers] Security?

mat mathdesc at yahoo.fr
Tue Jul 1 12:19:21 GMT 2014 

Hi Alan, Bastiaan,

Just to share my thoughts  :

Le mardi 01 juillet 2014 à 09:12 +0100, Alan Lord a écrit :

> On 01/07/14 08:43, Zebra Hosting wrote:
> > Since the CRM is used to store a lot of personal data, I was wondering
> > how secure vTiger is and if there are any extra options we could discuss.
> >
> > Let me start with a few points:
> > 1. At the login I don’t see something simple as brute force protection.
> 
> +1

+1 ->  A simple captcha is deceptive enough to robots (but also to
humain -> See honeypots.)

> 
> > 2. The standard admin user cannot be changed, it needs another account
> > and then needs to be deleted. Using standard admin usernames is bad
> > practice.
> 
> In 5.4.0 as long as you had another admin user configured and you logged 
> in with the new admin users credentials you could remove the default 
> "admin" user. Does this not work in 6?

Agreed wuth Bastiaan it is a bad practice, sure it does work.
Furthermore, I haven't found anything talking 
about that substitution's workaround in the "official manual" also
even if it would,  it  looks like a risky operation for a average user. 
BTW, is the admin user really wipe from database when doing this ? 


> > 3. Having the vTiger name and even the version number at the login
> > screen makes it very easy for hackers .
> 
> I don't think this makes much difference frankly.

I disagree on the principle : any easy gained valuable information is a
tentation for easy *cracking*.


> 
> > 4. It would be nice to have a black/whitelist to restrict access by IP.
> > (yes I know htaccess could be used but I talking about average users)
> 
> This should be done at the network level not at the application layer.
> 
> > 5. Use the http://www.projecthoneypot.org/ project to ban access at the
> > gate for spammers. (Works so very well in Joomla, I don’t need to use
> > captcha’s anymore )
> 
> vtiger doesn't really have a public "form" as such so I don't see the 
> need for this? Maybe for the Customer Portal yes?
> 
> > 6. Big warning in the installer to use https:// to encrypt the
> > loginscreen pw.
> 
> This would only really be required if the CRM is visible from the 
> Internet without going through a VPN surely?
> 

On those points, Bastiaan points something fondamental I think.
It is factual : users does this without even thinking of it as many host
services companies
offers a one-clic   hosted-and-ready-roll vtiger. This is not customer
portal specific only issue.
 
I personally wouldn't rely on the idea all users owns their
network, nor they  can change relevant settings on it to achieve 
better security in the software (if that makes sense)

Actually  the general assumption should rather be the exact opposite.



> > 7. Minimum password length/complexity
> 
> +1
> 
> Al
> 
> 
> _______________________________________________
> http://www.vtiger.com/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140701/0fd081c2/attachment.html>

More information about the vtigercrm-developers mailing list