Of course, one Administrator can build the best protections to avoid intrusion on your system, but if your users use always the same predictable passwords there’s no way out.
According to a Keeper Security study, here is a list of the most common passwords ever produced consciously by users:
But there’s more. If a user uses a “single word” included in any languages’ vocabulary, his password can be easily detected using the Dictionary attack.
It could be implemented thanks to a script that progressively tries all the words of all languages’ vocabulary. An approximate number of all words known in the world is 5,000,000 considering Chinese and Italian languages. But the list of most common words is lighter: it consists in a dictionary of 60-100,000 words.
How much time does a script take to test all of them to penetrate your system? Minutes.
It’s an easy but effective technique.
In order to protect your system against this kind of attack you should force users to have at least a number, a special character or an uppercase letter in their password.
A preventive test could be done here: Password Checker.
Thanks to a user of ours: Emma Roberts, we would like to suggest a Free Password Generator Tool: VPNMentor’s Secure Password Generator,
NEWS: the SugarCRM7 version of CRM Defender is available now!
For On Demand environment also!
Secure your SugarCRM 7 system:
What is actually a Brute-force Attack, and how can i protect my CRM system against it?
A Brute-force attack is the most simple way to try to access in a system without being authorized; but it’s effective. With this technique, an attacker has the mathematical certainty to find a way to go inside.
A Brute-force attack satisfies the following characteristics:
A Brute-force attack consists of an enormous continued repetition of attempts to find the right combination of user names and passwords.
It’s usually conducted by bots, automatic programs that replicates human enterings.
Like in every battle, there are some factors that could help the attacker while others help the defender; let’s focus on the first ones in order to strengthen the protections:
If the Crm Administrator uses “admin” as its username, half of the attacker’s job is already done, because it has only to try all the combinations of passwords with any length and any carachter.
If your CRM system location is predictable, like:
then the attacker knows where to intervene and how to set its automatic bots.
In case the attacker is an old workmate or a former employee, the CRM URL is obviously known. It’s “overkill” to change URL: think of the disorder that would be caused to the colleagues that should save the new link in their browsers or Apps.
But don’t worry; there are easier solutions.
One classical way to protect your system is to oblige your employees to use a strong password. You can easily set the password requirements in the Password Management panel in the admin page: https://support.sugarcrm.com/Documentation/Sugar_Versions/6.5/Ent/Administration_Guide/Password_Management/index.html
Please note that some of the settings showed in the previsious link are related to SugarCrm paid versions. You can always achieve that with custom development.
Instead of wasting precious energy, fighting against potential threats and trusting the procedures to ensure that employees adopt strong passwords and\or renew them often, you can introduce an automatic barrier that bans any potential intruder as soon as you exceed the maximum number of allowed attempts.
With a solution like CRM Defender there will be no way to hijack your system, because the Web Server itself, duly instructed by CRM Defender, will block intruders.
CRM Defender is now available on SugarOutfitters marketplace :
Get in touch there to get a free trial and experiment the package as you wish.
Feel free to open there a Support Case or contact us via the following form. We are here to help you to feel confident and secure about your SugarCRM and SuiteCRM system.
You can also contact us if you want any help testing your system against a brute-force attack, because we can simulate it for you.
In an increasingly connected world, where competitiveness is the dominant value, Data protection plays a crucial role. First of all it’s a must to keep a way to have back your data in case of emergency.
One of the key challenge for a Small Medium Business is to keep its own data as much safe as possible. And reducing the amount to invest in defense.
For a startup business the first target to reach is to survive but after reaching this out, it’s important to start thinking about the potential losses caused by a breach in the system.
Your CRM Data are vital for your business. To protect them is an obvious priority. No mather if your CRM runs on Premise or on a Cloud service: if someone tries to force your passwords, and you don’t take any countermeasure, soon or later, your CRM Data will at the mercy of the attacker.
But if you act properly there’s nothing to worry about.
The first thing in order to achieve that is to enforce users to use strong passwords or to generate them using autocreation tools.
You can also ask to your IT manager to ban some IP addresses from where suspicious attempts come. This require that you or your workmate keep an eye on potentially fraudulent login attempts tracking such behavior on your Server or on your Local Net proxy.
If you are on a hosted environment, you can use a tool like cPanel > IP Address Deny Manager:
This obviously requires that you are aware of which is the IP of the attacker, or its IP range. So it could take time to prevent further intrusions. Best choice is always to automate this flow; this will let your system protected even if the “IT Manager is on holydays”.
Another difficult task you can experience, if your system is accessed from a large set of IPs, potentially from different country, is to check for failed login attempts. To do so, one would need to check directly on the CRM log. But there is another problem: SugarCRM itself doesn’t allow you to know from where a suspicious attempt came.
I.e. a failed attempt on “admin” user would add on sugarcrm.log two rows like:
Fri Mar 3 19:00:00 2017 [-none-][FATAL] SECURITY: User authentication for admin failed Fri Mar 3 19:00:00 2017 [-none-][FATAL] FAILED LOGIN:attempts - admin
that is simply ineffective.