OroCRM Forums

Covering OroCRM topics, including community updates and company announcements.

Forums Forums OroCRM OroCRM – Feature Requests Login attempts log

This topic contains 2 replies, has 2 voices, and was last updated by  mkh 2 years, 1 month ago.

Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.

  • Creator
    Topic
  • #30027

    mkh
    Member

    Could not find any log of login attempts (successful or otherwise), looks like it is not implemented, at least not in community edition. IMO any web product must have this essential security feature, particularly for fail2ban integration, even if things like 2FA are left for paid version. Otherwise someone will sooner or later write a bot that brute-forces its way into open OroCRM installations on the web, and it won’t gonna give good name to the product.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Author
    Replies
  • #30029
    Artem Liubeznyi
    Artem Liubeznyi
    Spectator

    Hi,

    We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

    To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.

    #30030

    mkh
    Member

    We are yet to develop the logging of login attempts, however we keep this feature in our roadmap since we last addressed security features in our 2.0 release. There is no specific implementation timeline yet though.

    Thank you for the information. I’ll look into implementing this log and possibly sending a mr once I have time.

    To address your last point: Our aforementioned 2.0 EE release included a feature that automatically deactivates a user account after a certain number of unsuccessful login attempts, specifically to counter brute force attacks.

    (Sorry for changing subject, but) I’d advise blacklisting remote addresses instead. Otherwise once login name appears in bots’ lists it becomes effectively unusable though user did nothing wrong.

Viewing 2 replies - 1 through 2 (of 2 total)

The forum ‘OroCRM – Feature Requests’ is closed to new topics and replies.

You will be redirected to [title]. Would you like to continue?

Yes No