Bot Attack on my website's SuiteCRM installation

SuiteCRM Forum - English Language Developer Collaboration
1

Dear Friends,

I am facing a situation of severe bot-attack on my website.

A huge number of targets are being created on per day basis, using the web-to-person form.

Kindly suggest solution.

With thanks,

RK

2

Try adding google captcha on your form.

I haven’t tested it. But it may help you https://www.stackstar.com/blog/2014/01/add-captcha-to-sugar-crm-web-to-lead-forms

1 Like
3

I normally block all IP addresses from anyone trying to fiddle with my website.

What I do is add a directive in .htaccess for each IP address that tries to do something harmful.

This is an example of what I have added at the end of my .htaccess file:

Order Deny,Allow
Deny from 5.56.16.20
Deny from 5.56.16.51
Deny from 5.62.156.241
Deny from 5.164.203.206

(the IP addresses above have all tried to do malicious actions)

etc…

For easier reading the IP addresses are ordered in a human readable form.

Normally these bots don’t use too many IP addresses so your task should not be too difficult.

The advantage of this method is that they just can’t get to your site. The disadvantage is that you have to regularly append the IP addresses to your .htaccess file (this can be easily automated: but I prefer to do it under my control and not just by my CMS or CRM automatically). Another advantage is that you may end up with a high number of IP addresses.

1 Like
4

Until a non script kiddie starts proxy bouncing from a gajillion spoof hosts. htaccess method is an ongoing thing that you’ll have to do all the time. Recaptcha is a good deterrent for bots and you only have to configure it once.

5

Recaptcha is definitely a good method but malicious bots do not limit themselves to just submitting a form.

They may try other ways of hacking into your system so, in addition to things such as recaptcha’s, I prefer to keep them away. Always. It’s just my point of view.

6

No harm in defending on multiple fronts.

7

Maybe some of you might like to upvote this PR:

https://github.com/salesagility/SuiteCRM/pull/3291

It’s pretty simple but it would let us use Fail2Ban for a more consistent (and automatic) approach to this. Although it’s more oriented for login attemps, it could easily handle other events as long as they are logged (with an IP address mentioned).

8

Dear amariussi and pgr,

I have found an alternative approach to this problem.

Could you please help me in evaluating this approach and building the solution for my website?

Here is the link: Preventing Web-to-Lead Spam Entries

amariussi and pgr, I solicit your help in building a correct JS file for this.

With thanks,

RK

1 Like
9

@theachiever

The post you provided fully explains in detail all you have to do.

To summarise:

  1. grab all the javascript that is part of the form and put it in one separate file
  2. modify the file with the few suggested addtions
  3. include the file in your html

So what part don’t you understand?

My comment: this will help make the form more secure. However I don’t think it will prevent spambots trying to attack your site so be prepared to add other solutions. Unfortunately one of the weaknesses of WebTolead forms is that they give away the address in which Suite/Sugar is installed. Fortunately SuiteCRM is quite secure, but there may be ways to attack it.
One extra solution would consist in creating an additional script that, in turn, under certain met conditions, calls the WebTolead script. I haven’t studied it but I think it should be feasible.

10

Dear amariussi,

Thanks for your quick response and endorsement of the solution prescribed over there.

I have understood the following parts/tasks with respect to FORM itself:

  1. Removal of JS from the W-T-P form
  2. Extracting the action statement
  3. Placing the hidden element
  4. Activating another field

However, it is JS part where I seek your help.

My on-page script currently has 4-functions:

  1. alphabets() -----> contains the basic code to warrant the insertion of alphabets/reg expressions only
  2. checkboxval() -------> contains the code for validating checkboxes
  3. blog() ------->contains the code to identify & store the blog the visitor has subscribed to
  4. submit_form() --------> Please check the code of this function as given below
function submit_form() 
	{
        if (typeof(validateCaptchaAndSubmit) != 'undefined') 
		{
            validateCaptchaAndSubmit();
        } 
		else 
		{
			checkboxval();
			blog();
        }
    }

Problem I am facing is how to include the following section in this submit_form() properly:


--------------some code---------------- 
	if(req && document.getElementById('human').value == '55')
	{

		document.WebToLeadForm.action = "http://somewebsite.com/crm/index.php?entryPoint=WebToLeadCapture";

		document.WebToLeadForm.submit();

        return true;

        }

        else
		{

		alert('Please provide all the required fields');

        return false;

        }

        return false;

   }

   else{

    document.WebToLeadForm.action = "http://somewebsit.com/crm/index.php?entryPoint=WebToLeadCapture";

	document.WebToLeadForm.submit();

   }

Kindly have a look.

I will later add function validateHuman() in JS.

With thanks,

RK

1 Like
11

If you don’t post the whole code it will be hard to help you.

The code you posted doesn’t look like the one I have so I believe that you must have modified it. Can you please specify what modifications you made.

I don’t see the portion of code that checks required fields.

Additionally I am not familiar with the function blog() that you have (does it return normally or does it perform something that may exit terminate execution?

12

Dear amariussi,

Here is the complete codes in attachment.

Please download this file.

I am afraid the availability of these codes at forum, may lead to future attacks.

Would it be good idea to delete this file once you download it?

Please indicate me if you are done downloading.

Do you need the complete code of current Web-To-Person form too?

With thanks,

RK

13

I have downloded it. I hope you removed references to your server.

14

Dear amariussi,

The reference to server is contained in Form (HTML code) currently. As you have also stated correctly that:

Well, I cannot delete the previous attachment now, as 10-minutes have passed.

With thanks,

RK

15

Here is the snapshot of web-to-person form at live website.

With thanks,

RK

16

  1. How do you call submit_form? Have you left it as it was or have you modified it?
    It should be something like:

  2. Try doing the following:
    Make sure you have added this code somewhere:

Please note that the field human will be submitted to your form. You may use a hidden div instead of using a hidden input

0
(if you use this methyod you have to change in the function validateHuman() to: 
	function validateHuman()
	{
	document.getElementById('human').innerHTML= "55";
	}

and accordingly the prtion of code that checks the value in the submit_form() function to:
document.getElementById(‘human’).innerHTML== ‘55’

and that you are calling the validateHuman() function somewhere where you have a required field. For example:

(this is only assuming that you have one of these fields as required. Use the correct names and values)

or:

(but, you have removed the check for required fields so this may not be what you are trying to achieve, otherwise you may add the call to the function that checks for required fields)

or else where you prefer add:

onchange=“validateHuman();”

. Add these lines after the call to Blog();


.....
.....
Blog();
if (document.WebToLeadForm.AGREE.required == false && document.getElementById('human').value == '55') {
    document.WebToLeadForm.action = "http://somewebsite.com/crm/index.php?entryPoint=WebToLeadCapture";
    document.WebToLeadForm.submit();
    return true;
}
else
  return false;

You also have to remove the action in the form tag.

I haven’t tested anything of this so excuse me if there are minor errors!

17

Dear amariussi,

Can you drop any email ID of your at following temporary ID:

Oping1961@superrito.com

I will mail you the complete code of FORM, so that you could make observations.

Kindly have a look at the JPEG, for what I have understood of your suggestion.

With thanks,

RK

18

Dear amariussi,

Just replied you from a gmail ID.

I can not reply from previous temporary email ID of that webservice.

Please check your email.

With thanks,

RK

19

I don’t know if your website is using WordPress or not, but instead of using the SuiteCRM web to lead form, I use gravity forms to capture the lead on the front end, it has Google Captcha options an also honeypot spam filters. You can then use Zapier to integrate Gravity Forms to your SuiteCRM installation. It’s free and you can add and associate any fields you want between Gravity Forms and SuiteCRM. It’s a great solution! Plus it’s super easy to set up.

1 Like
20

Hi P Stevens, Does your SuiteCRM installation still work with Zapier? I have the latest version of SuiteCRM installed and its not… please let me know… If so how did you get it to work?