Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > Suggestions > Topic : Security on Webuzo Log In to Increase



Threaded Mode | Print  

 Security on Webuzo Log In to Increase (9 Replies, Read 9363 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi,
today I was testing Wordfence plug in on my Wordpress.
In particular BAN IP function.

I have found maybe a BUG on that plug in but also issue with Webuzo.
IF I BAN manually an ip in Wordfence plug in and I have performance setup active in Wordfence ... the banned IP will not see the Wordfence ban page but are redirected I don't know where in the VPS.

The issue with Webuzo is, in my case for two website ... the banned IP is redirected to the Webuzo Default Page who give information to the BAD user about my admin panel (Webuzo) on my server so Hacker can now know I AM using Webuzo and Can see where the log in page is as is showed into the Webuzo default page.

If that Hacker made a robott guess username and password how Webuzo can defend from it?

  • I cannot BAN an IP only in the admin side BUT I have to ban in all server and website
  • I cannot ban with a custom message who says to the user to contact support for example
  • I cannot have two step verification
  • I AM not informed by email if some one have access to Webuzo Admin area.
So I think you should improve security.Also if some one try to access by guessing password are banned temporarly from Webuzo access area or can continue to guess password?



-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security on Webuzo Log In to Increase
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Maybe for Two factor authentication can be just an email with a link for direct access to the control panel.

So user need to put username and password into webuzo and if is the first time they connect from that an email is sent to the user for allow the log in.

But maybe here there are another problem in this case, Webuzo email are not always delivered if they looks like SPAM... so don't know maybe is better a system like Google Authenticator or just the possibility to ban an IP only in the webuzo admin access area and not to all website of the server.. should be more option under ban IP.

Should be a possibility to add custom message for single IP BAN or multipe range IP BAN, should be added if ban an IP from the full server or just in one website or Webuzo log in area.

Should be added a possibility to receive an email notification when an admin logged in.

Just suggestions for security.
What happen if, as in my case, I ban an hacker IP and this is redirected to webuzo default page where Hacker can now know user are with Webuzo control panel and also know where the log in form is because is showed in that page how to log in in the admin panel.

That Hacker from scanning in the wordpress website and try to do bad action... now as is Banned see the Webuzo Default page who tell also how to access where access in the Webuzo admin area.

Sure Hacker don't have the password but can set a robot for try all username an password (Brute force log in) ... So user will not know there are robot who try day and night to guess password.

How Webuzo manage this case? With and what security control are done? :)
Also if Hacker is able to log in no email notification is send so Hacker can do what it want.

Tomorrow if notification will be added... If I can log in in the admin Webuzo panel and want expire all session of admin connected (Hacker) if just change password Hacker from another PC will be logged out or can continue to do dangerous actions?

This is security :)


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security on Webuzo Log In to Increase
webuzo_manager
Group: Member
Post Group: Elite Member
Posts: 268
Status:
Hi peopleinsideit ,

Quote
Maybe for Two factor authentication can be just an email with a link for direct access to the control panel.


We may introduce this feature with future release of Webuzo .

Quote
Webuzo email are not always delivered if they looks like SPAM

Webuzo gives you a option about receiving mails via SMTP server instead of using the PHPMail .

Quote
just the possibility to ban an IP only in the webuzo admin access area and not to all website of the server

This is not possible under the present circumstances as IP level block can only be done at a System Level .

Quote
Should be a possibility to add custom message for single IP BAN or multipe range IP BAN, should be added if ban an IP from the full server or just in one website or Webuzo log in area

This feature is in our TODO list and will be released in future version of Webuzo

Quote
Should be added a possibility to receive an email notification when an admin logged in.

We will discuss this with our developers whether to implement this feature or not

Quote
I ban an hacker IP and this is redirected to webuzo default page where Hacker can now know user are with Webuzo control panel and also know where the log in form is because is showed in that page how to log in in the admin panel.

If you ban a IP the user is blocked at a System level , so he wont be view any page or access you servers or Website , We can't take responsibility for any third party software you use to block IP as the implementation of it is beyond our control .

Quote

Sure Hacker don't have the password but can set a robot for try all username an password (Brute force log in) ... So user will not know there are robot who try day and night to guess password.

Yes this is a serious issue ,  but for this System admin should monitor access logs all the for this purpose and take immediate action  as you keep your server up 24 hrs a day you are responsible for this .

Edited by webuzo_manager : April 25, 2016, 5:45 am
IP: --   

Security on Webuzo Log In to Increase
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
You can set SMTP but when you save SMTP setting there are no done any check SMTP settings are correct so if you do wrong you will unable to recover your password or receive email from Webuzo.

I don't know if this issue is now solved but is a very bad things. Before activate SMTP settings should be checked if log in credential SMTP are correct.

Also I have tested in the past, IF I log in in Webuzo in a PC than in other PC i log in and change Webuzo password the other PC session is not closed but can continue to do things and action until session is not expired. This is bad.

Quote
but for this System admin should monitor access logs all the for this
purpose and take immediate action  as you keep your server up 24 hrs a
day you are responsible for this .
       

Take actions? As I told also if you change Webuzo password active session are not closed. I cannot stay 24 h / 24 logged into Webuzo for see if something is wrong. For that reason should be 2 Factor authentication and possibility to activate email notification of access to Webuzo, of course the possibility to have it disable for who don't want this.

So future improvement in security like Two factor authentication and fix the log in expire issue will be give more security to the control panel.
:-)

Thank you :)


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security on Webuzo Log In to Increase
webuzo_manager
Group: Member
Post Group: Elite Member
Posts: 268
Status:
Hi peopleinside,

Quote
Also I have tested in the past, IF I log in in Webuzo in a PC than in other PC i log in and change Webuzo password the other PC session is not closed but can continue to do things and action until session is not expired. This is bad.


This is because Webuzo implements Sessions on Timeout basis which is very efficient ,fast and easy to use  I know you are talking about Google like sessions where if you change password on one device all devices get logged out.
We implement it this way because Webuzo isn't designed to be used by multiple users on multiple devices it's intended to be used on a single machine  thus we don't implement universal sessions  .


To increase the security of the Webuzo Panel you can do the following things :
  1. Keep your username and password secret in this way the brute force attack will take a lot of time and  he has to know your Your Webuzo username before initiating a attack
  2. Generate a very random and long password so brute force will take a very long time may be years depending upon your password length
  3. If you are managing a VPS you should have 24 hrs monitoring on your VPS you can't leave everything on the System
  4. Disable SSH access to your server or set it to a random port which is hard to guess


Quote
You can set SMTP but when you save SMTP setting there are no done any check SMTP settings are correct so if you do wrong you will unable to recover your password or receive email from Webuzo.


We will check and verify if it is not working as intended

Edited by webuzo_manager : April 25, 2016, 10:22 am
IP: --   

Security on Webuzo Log In to Increase
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Thanks, as for what I know is not possibile customize (in my case) username of Webuzo.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security on Webuzo Log In to Increase
fintec-mgmt
Group: Member
Post Group: Newbie
Posts: 9
Status:
Webuzo wont even accept complex passwords, you guys are asking for 2 factor?

Webuzo wont accept special characters in the password.
Try a fresh install,
create user with pass starting with $
ex. $MyPass

You're done, can't login anymore, need to reinstall.
IP: --   

Security on Webuzo Log In to Increase
webuzo_manager
Group: Member
Post Group: Elite Member
Posts: 268
Status:
Hi fintec-mgmt,

Webuzo must have removed the special character from the password string , if you face this issue in future try entering the password without the special character.
IP: --   

Security on Webuzo Log In to Increase
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Quote From : nikhil.m May 31, 2016, 6:47 am
Hi fintec-mgmt,

Webuzo must have removed the special character from the password string , if you face this issue in future try entering the password without the special character.


I think this is very stupid and dangerous for security. This is the most bad things I heard from Webuzo. Please insert again special character!!!!


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security on Webuzo Log In to Increase
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
I noticed special Character are not removed from Webuzo password but only
Code
$
simbol for a security reason with PHP so if this only one character is removed from password for security purposes it's ok. Maybe now up to the password field should be a sentence who inform the user
Code
$
is not supported in the password.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 3:02 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.329