Login attempts log

Could not find any log of login attempts (successful or otherwise), looks like it is not implemented, at least not in community edition. IMO any web product must have this essential security feature, particularly for fail2ban integration, even if things like 2FA are left for paid version. Otherwise someone will sooner or later write a bot that brute-forces its way into open OroCRM installations on the web, and it won’t gonna give good name to the product.

Topic

[Artem LiubeznyiSpectator]

Hi,

We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.

[mkhMember]

We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

Thank you for the information. I’ll look into implementing this log and possibly sending a mr once I have time.

To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.

(Sorry for changing subject, but) I’d advise blacklisting remote addresses instead. Otherwise once login name appears in bots’ lists it becomes effectively unusable though user did nothing wrong.

[Author]

Replies