<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Vtiger team,<br>
<br>
If I can suggest something I would like to also give some data.<br>
<br>
I manage several websites in my VPS and in shared hostings also.
If the site uses online adds and more SEO the site receives more
attacks mostly brute force login. The recorded brute force attacks
in my sites in 80% use word "admin" to try login.<br>
For example in one of my sites - from February of 2014 until now -
received 407 brute force attacks and 127 IP address was blocked
due to repeated brute force attacks during the small interval of
time.<br>
I also recorded a hack attack when 63 different method was tried
to hack the site from one IP address in one day during a few
hours.<br>
<br>
I think it is enough big quantity to do vtiger CRM more safe at
the login.<br>
<br>
An I think more safer way to use different admin user names then
the simple, well known - and hardcoded - admin.<br>
<br>
Kindest regards:<br>
Istvan<br>
<br>
<div class="moz-signature">üdvözlettel:<br>
<br>
<b>Holbok István</b><br>
<br>
+3670-342-0900<br>
<b>e-mail:</b> <a class="moz-txt-link-abbreviated" href="mailto:holbok@gmail.com">holbok@gmail.com</a><br>
<b>SkyPe:</b> holboki<br>
<br>
</div>
2014.07.01. 10:35 keltezéssel, Zebra Hosting írta:<br>
</div>
<blockquote cite="mid:CFD83E2A.24071%25support@zebrahosting.eu"
type="cite">
<pre wrap="">Alan,
2. Yes you can work around the admin issue but it should not be hardcoded
in the installer.
3. Not much but everything helps. If a security hole has been found and
published it is easier to do a search on ³tiger² & ³6.0² if all details
are published. Agree it is minor but still. Same reason I don¹t show the
generator meta tag in websites sources.
4. Agreed but don¹t forget all those people installing the CRM on public
(web)servers.
5. Block them from accessing the login form and yes to all web forms,
portal etc.
6. See 4. I can¹t expect all my users to use VPN. Curious how often that
is used here.
Bastiaan Houtkooper
Zebra Hosting
On 01-07-14 10:12, "Alan Lord" <a class="moz-txt-link-rfc2396E" href="mailto:alanslists@gmail.com"><alanslists@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 01/07/14 08:43, Zebra Hosting wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Since the CRM is used to store a lot of personal data, I was wondering
how secure vTiger is and if there are any extra options we could
discuss.
Let me start with a few points:
1. At the login I don¹t see something simple as brute force protection.
</pre>
</blockquote>
<pre wrap="">
+1
</pre>
<blockquote type="cite">
<pre wrap="">2. The standard admin user cannot be changed, it needs another account
and then needs to be deleted. Using standard admin usernames is bad
practice.
</pre>
</blockquote>
<pre wrap="">
In 5.4.0 as long as you had another admin user configured and you logged
in with the new admin users credentials you could remove the default
"admin" user. Does this not work in 6?
</pre>
<blockquote type="cite">
<pre wrap="">3. Having the vTiger name and even the version number at the login
screen makes it very easy for hackers .
</pre>
</blockquote>
<pre wrap="">
I don't think this makes much difference frankly.
</pre>
<blockquote type="cite">
<pre wrap="">4. It would be nice to have a black/whitelist to restrict access by IP.
(yes I know htaccess could be used but I talking about average users)
</pre>
</blockquote>
<pre wrap="">
This should be done at the network level not at the application layer.
</pre>
<blockquote type="cite">
<pre wrap="">5. Use the <a class="moz-txt-link-freetext" href="http://www.projecthoneypot.org/">http://www.projecthoneypot.org/</a> project to ban access at the
gate for spammers. (Works so very well in Joomla, I don¹t need to use
captcha¹s anymore )
</pre>
</blockquote>
<pre wrap="">
vtiger doesn't really have a public "form" as such so I don't see the
need for this? Maybe for the Customer Portal yes?
</pre>
<blockquote type="cite">
<pre wrap="">6. Big warning in the installer to use <a class="moz-txt-link-freetext" href="https://">https://</a> to encrypt the
loginscreen pw.
</pre>
</blockquote>
<pre wrap="">
This would only really be required if the CRM is visible from the
Internet without going through a VPN surely?
</pre>
<blockquote type="cite">
<pre wrap="">7. Minimum password length/complexity
</pre>
</blockquote>
<pre wrap="">
+1
Al
_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a>
</pre>
</blockquote>
<br>
</body>
</html>