[Vtigercrm-developers] Security?

Holbok István holbok at gmail.com
Tue Jul 1 15:50:53 GMT 2014


Hi Vtiger team,

If I can suggest something I would like to also give some data.

I manage several websites in my VPS and in shared hostings also. If the 
site uses online adds and more SEO the site receives more attacks mostly 
brute force login. The recorded brute force attacks in my sites in 80% 
use word "admin" to try login.
For example in one of my sites - from February of 2014 until now - 
received 407 brute force attacks and 127 IP address was blocked due to 
repeated brute force attacks during the small interval of time.
I also recorded a hack attack when 63 different method was tried to hack 
the site from one IP address in one day during a few hours.

I think it is enough big quantity to do vtiger CRM more safe at the login.

An I think more safer way to use different admin user names then the 
simple, well known - and hardcoded - admin.

Kindest regards:
Istvan

üdvözlettel:

*Holbok István*

+3670-342-0900
*e-mail:* holbok at gmail.com
*SkyPe:* holboki

2014.07.01. 10:35 keltezéssel, Zebra Hosting írta:
> Alan,
>
> 2. Yes you can work around the admin issue but it should not be hardcoded
> in the installer.
> 3. Not much but everything helps. If a security hole has been found and
> published it is easier to do a search on ³tiger² & ³6.0² if all details
> are published. Agree it is minor but still. Same reason I don¹t show the
> generator meta tag in websites sources.
> 4. Agreed but don¹t forget all those people installing the CRM on public
> (web)servers.
> 5. Block them from accessing the login form and yes to all web forms,
> portal etc.
> 6. See 4. I can¹t expect all my users to use VPN. Curious how often that
> is used here.
>
> Bastiaan Houtkooper
> Zebra Hosting
>
>
>
>
> On 01-07-14 10:12, "Alan Lord" <alanslists at gmail.com> wrote:
>
>> On 01/07/14 08:43, Zebra Hosting wrote:
>>> Since the CRM is used to store a lot of personal data, I was wondering
>>> how secure vTiger is and if there are any extra options we could
>>> discuss.
>>>
>>> Let me start with a few points:
>>> 1. At the login I don¹t see something simple as brute force protection.
>> +1
>>
>>> 2. The standard admin user cannot be changed, it needs another account
>>> and then needs to be deleted. Using standard admin usernames is bad
>>> practice.
>> In 5.4.0 as long as you had another admin user configured and you logged
>> in with the new admin users credentials you could remove the default
>> "admin" user. Does this not work in 6?
>>
>>> 3. Having the vTiger name and even the version number at the login
>>> screen makes it very easy for hackers .
>> I don't think this makes much difference frankly.
>>
>>> 4. It would be nice to have a black/whitelist to restrict access by IP.
>>> (yes I know htaccess could be used but I talking about average users)
>> This should be done at the network level not at the application layer.
>>
>>> 5. Use the http://www.projecthoneypot.org/ project to ban access at the
>>> gate for spammers. (Works so very well in Joomla, I don¹t need to use
>>> captcha¹s anymore )
>> vtiger doesn't really have a public "form" as such so I don't see the
>> need for this? Maybe for the Customer Portal yes?
>>
>>> 6. Big warning in the installer to use https:// to encrypt the
>>> loginscreen pw.
>> This would only really be required if the CRM is visible from the
>> Internet without going through a VPN surely?
>>
>>> 7. Minimum password length/complexity
>> +1
>>
>> Al
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140701/eeaa56db/attachment-0001.html>


More information about the vtigercrm-developers mailing list