ssossossossosso

Forums

Covering OroCRM topics, including community updates and company announcements.  Subscribe

Forums OroCRM OroCRM – Feature Requests Login attempts log

This topic contains 2 replies, has 2 voices, and was last updated by  mkh 3 months ago.

  • Creator
    Topic
  • #73755

    mkh
    Participant

    Could not find any log of login attempts (successful or otherwise), looks like it is not implemented, at least not in community edition. IMO any web product must have this essential security feature, particularly for fail2ban integration, even if things like 2FA are left for paid version. Otherwise someone will sooner or later write a bot that brute-forces its way into open OroCRM installations on the web, and it won’t gonna give good name to the product.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Author
    Replies
  • #73791
    Artem Liubeznyi
    Artem Liubeznyi
    Keymaster

    Hi,

    We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

    To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.


    #73793

    mkh
    Participant

    We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

    Thank you for the information. I’ll look into implementing this log and possibly sending a mr once I have time.

    To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.

    (Sorry for changing subject, but) I’d advise blacklisting remote addresses instead. Otherwise once login name appears in bots’ lists it becomes effectively unusable though user did nothing wrong.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

You will be redirected to [title]. Would you like to continue?

Yes No
ssossossossosso