Is there an alert for failed login attempts to Web Interface ?

Two reasons for wanting this:-

1. I am accustomed to the Windows Server alert which is a good reminder about security and the many attempts that are made to "get in"
2. A customer may fail to gain rightful access and not mention it so a potential dissatisfied customer situation.

If such an alert is not currently avialable I would suggest it as future development.

Regards

Sandy

Hi,

Thanks for posting this.
We have an active feature request to have RangerMSP Web Interface login audits; however, it's still on our list. I've added a vote on your behalf, and copied your comments to the file for review by the Product Management Team. Thanks for the feedback.

Thanks again for the feedback.

Regards,
Rinat

Are logins "logged" anywhere?

Hi Luke,

In some cases we can pull information about Web logins. Should it be required please contact us by email to discuss the available options.

Regards,
Rinat

Any traction on this?

We have it filed. At this stage we do not have any related news to share.

I am mostly concerned about the web interface.

As i read the latest news from big companies who have been hacked I often think of my own security. Here is a internet facing software with almost every business client we have with information like IP, passwords, license keys, etc.

I cant even tell if someone is trying to hack it, let alone if it has been hacked.

How far up the totem pole is security when you [commit] consider what to work on next? I know security isnt sexy, but it is very ugly when it goes south.

What would be the fallout if even one CommitCRM user is hacked? How safe would the rest of us feel, and how hard will it be to win back trust?

We spend decent amount of resources in that direction. In regards to the Web interface and securting - we strongly recommend that you use it with SSL (in case you don't). This way you password, and the entire communication, in encrypted end to end - from the Browser to the server and vice-versa.

Still doesn't tell us if someone is trying to break in. A cheap $25 router logs bad login attempts. Even Windows 95 would tell you if you knew where to look.

I cant believe something as sophisticated as CommitCRM doesn't.

We do not disagree here. It wasn't implemented to prevent logging eating all your diskspace (a common way to hack a system is to first put it out of space).
In any case, we do plan to support it in the future.
For example, in our coming release we support a new API model which is API over http/s. IT also requires the caller to 'log in' programically and based on a specific request for this we are logging failed http call attempts.

You could use a program to email you the last 50 lines of a log file, like
http://cybernetnews.com/tail-command-windows/ however, I am unable to find any useful information in the CommitWebInterfaceLog file. It appears Cipher Name = success, but no Ip address, username, nothing.

So, one could grind away at a competitors CommitWeb, and not worry about detection, notification or lockout? +1 to bump this up on the "list"

Another +1 for adding basic record security. Nothing is private in CommitCRM Fat Client to new technicians. We have to give full access to all accounts to new techs who sometimes only last a few weeks. The web interface is useful for field lookup and input, but for day to day help desk operations, its too limited. Please add basic record level security for users and groups.

The web interface seems to generate plenty of "logging" to fill up disk space by itself, with useful information in it, like username and Ip Address, I don't see how it could be much worse?

07/23/2013 02:38 PM SSL status: "before/accept initialization"
07/23/2013 02:38 PM SSL status: "before/accept initialization"
07/23/2013 02:38 PM SSL status: "SSLv3 read client hello A"
07/23/2013 02:38 PM SSL status: "SSLv3 write server hello A"
07/23/2013 02:38 PM SSL status: "SSLv3 write change cipher spec A"
07/23/2013 02:38 PM SSL status: "SSLv3 write finished A"
07/23/2013 02:38 PM SSL status: "SSLv3 flush data"
07/23/2013 02:38 PM SSL status: "SSLv3 write certificate A"
07/23/2013 02:38 PM SSL status: "SSLv3 write server done A"
07/23/2013 02:38 PM SSL status: "SSLv3 flush data"
07/23/2013 02:38 PM SSL status: "SSLv3 read finished A"
07/23/2013 02:38 PM SSL status: "SSL negotiation finished successfully"
07/23/2013 02:38 PM SSL status: "SSL negotiation finished successfully"
07/23/2013 02:38 PM Cipher: name = RC4-SHA; description = RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
; bits = 128; version = TLSv1/SSLv3;
07/23/2013 02:38 PM SSL status: "SSLv3 read client certificate A"
07/23/2013 02:38 PM SSL status: "SSL negotiation finished successfully"

REM: Modifying file TSGrinder.Exe to CommitCRMGrinder.Exe and targeting local competitor......throttle set to 5,000 attemps per hour.........loading RainbowDictonary Attack1.txt... Processing.......

In the meanwhile, you may want to exclude your CommitCRM server from Google spider searches with a robot.txt . A recent search for /files/cmtcustlogin.html turned up many listings.....WAY too many listings for IT companies that should be concerned with security.

To block your site from search spiders, create a text file robots.txt and place in your \CommitCRM\webinterface\files directory containing the text between the ======
===============
User-agent: *
Disallow: /
====================
More on robots.txt here: http://www.robotstxt.org/robotstxt.html

Check <removed* >. I think that's what you are looking for.

--

* Edited By Support Team:
Thanks! However, reference was removed for security reasons.

Thank you Lpopejoy, I am still running V5.7, waiting with baited breath for the new release scheduled for next month. That feature is not available in 5.7. Humm, Wonder what the secret is with that file location? Any junior tech should be able to root around and find it.....

Well... Any junior tech could root around and find any of it I guess. Is that a problem? Yeah, definitely get the updates.

Hi Guys I thought I would share a script I use to email the failed logon attempts to you. It will only email new attempts each time as it logs each line of text scanned in the registry
I have marked the lines you need to edit clearly so you should all be able to work it out.
copy and paste it to notepad, and save it as a .vbs, MAKE Sure you execute it with administrative privileges or it wont be able to write to the registry.
hope you enjoy:

Const cdoSendUsingMethod = "http://schemas.microsoft.com/cdo/configuration/sendusing", _
cdoSendUsingPort = 2, _
cdoSMTPServer = "http://schemas.microsoft.com/cdo/configuration/smtpserver"
Const ForReading = 1

Dim intStartAtLine, strFileCreateddate, i, strResults, strTextToScanFor

'who are you mailing to?
strMailto = "EMAILADDRESS GOES HERE"

'default email address the message will be from
strMailFrom = "EMAILFROMADDRESS GOES HERE"

'set SMTP email server address here
strSMTPServer = "MAILSERVER IP GOES HERE"

'full path to the file you wish to monitor
FileToRead = "\\SERVERNAME\<replace-with-the-path-to-the-failed-logins-log-file>"

Set WshShell = WScript.CreateObject("WScript.Shell")

On Error Resume Next
strLastFileCheckedCreateDate = WshShell.RegRead("HKLM\Software\RDScripts\CheckTXTFile\CreateDate")
strLastFileLastLineChecked = WshShell.RegRead("HKLM\Software\RDScripts\CheckTXTFile\LastLineCheck ed")

On Error GoTo 0

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set varFile = objFSO.GetFile(FileToRead)

'add more text to scan for by adding ,"item" to the array below
' for example, to search for two strings:
' array("text1","text2")
arrTextToScanFor = Array("Invalid User Name or Password","error")

strFileCreateDate = varfile.datecreated

If CStr(strFileCreateDate) = CStr(strLastFileCheckedCreateDate) Then
'if the date when the current file was created DOES equal
' the date of the file that was checked last time - it's
' the same file.
'
'so, we would want to CONTINUE the search from where we
' last left off.
'MsgBox "TEST!"
intStartAtLine = strLastFileLastLineChecked


ElseIf strFileCreateDate <> strLastFileCheckedCreateDate Then
'if the date when the current file was created does not equal
' the date of the file that was checked last time - it's
' a new file that has been created.
'
'so, we would want to begin the search from the beginning of
' the file.

intStartAtLine = 0

End If

i = 0
Dim strNextLine
'MsgBox intStartAtLine



Set objTextFile = objFSO.OpenTextFile(FileToRead, ForReading)
Do While objTextFile.AtEndOfStream <> True
If i < CInt(intStartAtLine) Then
objTextFile.skipline
Else
'MsgBox i
strNextLine = objTextFile.Readline
For each strItem in arrTextToScanFor

If InStr(LCase(strNextLine),LCase(strItem)) Then
strResults = strNextLine & vbcrlf & strResults
'MsgBox strResults
End If
Next
End If
i = i + 1

Loop
'MsgBox strResults
objTextFile.close

set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\Software\RDScripts\CheckTXTFile\FileChecked", FileToRead, "REG_SZ"
WshShell.RegWrite "HKLM\Software\RDScripts\CheckTXTFile\CreateDate", strFileCreateDate, "REG_SZ"
WshShell.RegWrite "HKLM\Software\RDScripts\CheckTXTFile\LastLineCheck ed", i, "REG_SZ"
WshShell.RegWrite "HKLM\Software\RDScripts\CheckTXTFile\LastScanned", Now, "REG_SZ"
set WshShell = nothing

If strResults <> "" Then Call sendmail(strMailFrom,strMailTo,"CommitCRM Web Failed Logon alert",strResults)

'------------------------------------------------------------------------
'Function EmailFile - email the warning file
'------------------------------------------------------------------------
Function SendMail(strFrom,strTo,strSubject,strMessage)
Dim iMsg, iConf, Flds
On Error GoTo 0

'// Create the CDO connections.
Set iMsg = CreateObject("CDO.Message")
Set iConf = CreateObject("CDO.Configuration")
Set Flds = iConf.Fields


'// SMTP server configuration.
With Flds
.Item(cdoSendUsingMethod) = cdoSendUsingPort

'// Set the SMTP server address here.
.Item(cdoSMTPServer) = strSMTPServer
.Update
End With

'// Set the message properties.
With iMsg
Set .Configuration = iConf
.To = strMailTo
.From = strMailFrom
.Subject = strSubject
.TextBody = strMessage
End With

'iMsg.HTMLBody = strMessage

'// Send the message.

iMsg.Send ' send the message.

If CStr(err.number) <> 0 Then

Else

End If
End Function

Thank you for sharing with the community.

The script works, but it send everyone's usernames and passwords.

Very dangerous.

We didnt know this and had the alerts sent to our shared support email, and now everyone's passwords were exposed to 5+ people.

Any updates on this? I feel like failed login attempt logging, minimum password complexity and/or automatic account locking is important for such a critical system.

Yes, there has been some progress. First IIS can now used for better and more secure SSL connections. In addition, starting with version 16 we've introduced the ability to enable 2FA with the Web interface so hacking employee RangerMSP user credentials isn't enough. Besides, we have several other ideas here that should be added to future versions. Thanks!