G
-
Do you have any victories you'd like to share for the month of May? Help us celebrate others by posting here.
How Difficult is It to Host Your Own SIP Based Dialer?
- Thread starter
- #42
- 2,024
In so far as security is concerned, a couple key things you can do to tighten vicidial up a lot.
1. Change the password for the cron user. The username isn't the problem. The problem is that the password is like 1234 by default and it leaves it open to attack.
Number 2. Don't use default ports. Make your router forward a nonstandard port so that people can't find the server.
Number 3. Make sure your router password isn't the out of the box default. Seems like a no brainer but I bet 90% of the time a linksys router still has the blank user password admin or whatever the out of the box default is unchanged.
If you do those things, you can still be Denial of service attacked, but you're about as secure as you're going to get.
Thanks on the logic, its odd though, my code for some reason the rtrim at the end isn't working. It doesn't effect the code working.
This is the easiest post function too, some of the others you have to query 2 or 3 dbs to get all the variables and use explode() on a couple of strings.
This is also the logic for a single dialer user. It gets more difficult when you have to poll the user name then find the user name to associate it with in vicidial and use seperate lists for different things. This is mostly just how to do a simple curl.
Also, for this in sugar to post to vicidial, the EASY way to do it is go grab the Process Manager addon from sugarforge and run this as a custom script.
As an aside, an easy way to debug the function is fopen and fwrites of the posts before the curls output into a text file, then you can go back and make sure each step is firing and see the results it is attempting to post to look for logic or syntax problems, then cut out all the fwrite code at the end.
This is mostly just a placeholder for me also, until I go back in and rewrite a lot of this code using crontab and sql when I ditch the sugar interface. It was faster to get started using their code, but there is a lot I don't like about their code that I feel like can be done with less overhead and can be made to be more user friendly by just using pure java/php.
Like the above example works, however it could be done in a much simpler manner if all that was actually happening was a record was being made in a sql db, then 1 time a minute the server checked that database for new records and if any new records existed it pushed them into the dialer and marked the record as copied. There isn't a reason specifically it has to happen inside sugarcrm, crontab would do it with less overhead just as well. If it was happening that way, it could share user ID with vicidial, and automatically shove it in the correct list without all this trickery. It would be faster, less troublesome, etc.
The more you look at sugarcrm as a programmer, the more it looks like a lot of unnecessary overhead in functions you don't necessarily need.
Step 1 was make a working proof of concept.
Step 2 is rewrite the interface. It needs to be a lot more user friendly than it is now.
End of programming gibberish.
- - - - - - - - - - - - - - - - - -
He's referring to the base password in vicidial. It makes a user named cron with a default password of 1234 in the mysql. If you're not really bright and you leave it there, someone can go straight into the mysql and dump it and steal all the records then wipe the db.
1. Change the password for the cron user. The username isn't the problem. The problem is that the password is like 1234 by default and it leaves it open to attack.
Number 2. Don't use default ports. Make your router forward a nonstandard port so that people can't find the server.
Number 3. Make sure your router password isn't the out of the box default. Seems like a no brainer but I bet 90% of the time a linksys router still has the blank user password admin or whatever the out of the box default is unchanged.
If you do those things, you can still be Denial of service attacked, but you're about as secure as you're going to get.
Thanks on the logic, its odd though, my code for some reason the rtrim at the end isn't working. It doesn't effect the code working.
This is the easiest post function too, some of the others you have to query 2 or 3 dbs to get all the variables and use explode() on a couple of strings.
This is also the logic for a single dialer user. It gets more difficult when you have to poll the user name then find the user name to associate it with in vicidial and use seperate lists for different things. This is mostly just how to do a simple curl.
Also, for this in sugar to post to vicidial, the EASY way to do it is go grab the Process Manager addon from sugarforge and run this as a custom script.
As an aside, an easy way to debug the function is fopen and fwrites of the posts before the curls output into a text file, then you can go back and make sure each step is firing and see the results it is attempting to post to look for logic or syntax problems, then cut out all the fwrite code at the end.
This is mostly just a placeholder for me also, until I go back in and rewrite a lot of this code using crontab and sql when I ditch the sugar interface. It was faster to get started using their code, but there is a lot I don't like about their code that I feel like can be done with less overhead and can be made to be more user friendly by just using pure java/php.
Like the above example works, however it could be done in a much simpler manner if all that was actually happening was a record was being made in a sql db, then 1 time a minute the server checked that database for new records and if any new records existed it pushed them into the dialer and marked the record as copied. There isn't a reason specifically it has to happen inside sugarcrm, crontab would do it with less overhead just as well. If it was happening that way, it could share user ID with vicidial, and automatically shove it in the correct list without all this trickery. It would be faster, less troublesome, etc.
The more you look at sugarcrm as a programmer, the more it looks like a lot of unnecessary overhead in functions you don't necessarily need.
Step 1 was make a working proof of concept.
Step 2 is rewrite the interface. It needs to be a lot more user friendly than it is now.
End of programming gibberish.
- - - - - - - - - - - - - - - - - -
He's referring to the base password in vicidial. It makes a user named cron with a default password of 1234 in the mysql. If you're not really bright and you leave it there, someone can go straight into the mysql and dump it and steal all the records then wipe the db.
Last edited:
- Thread starter
- #43
- 2,024
I started a website yesterday (I did it in 15 minutes so it's not exactly superb) about the new crm/dialer.
It's at www.hoppercrm.com
Basically just explains where I'm at on it and what we're doing.
Beta slots will be open in a couple weeks if anyone is interested.
It's at www.hoppercrm.com
Basically just explains where I'm at on it and what we're doing.
Beta slots will be open in a couple weeks if anyone is interested.
- Thread starter
- #45
- 2,024
i think possibly the cron user is assigned to localhost from default, but it's still open to an injection attack even if restricted, if you know the password because data is being passed.
I validate and sanatize the data too, but you still have a vulnerability if someone ever figured out the ip, port, user, password, then knew the cron user had that default password.
Just one more box to check that shouldn't be open.
I validate and sanatize the data too, but you still have a vulnerability if someone ever figured out the ip, port, user, password, then knew the cron user had that default password.
Just one more box to check that shouldn't be open.
I signed up for your newletter. I am very excited to keep tabs on this. I think that you have something special here.
As a side note, once I signed up for the news letter there was no indication that it was received. You may want to add some pop-up/ splash screen to verify that it was received. If you didn't receive it, email is similar enough to my user name on here, please PM me and let me know.
- Thread starter
- #47
- 2,024
I put an autoresponder to show success on there. I really wasn't kidding when I said I made that site in 15 minutes the other day I just wanted to give something to start backlinking on and start adding content to, I haven't even made a CSS for it yet and it's just the 1 page.
Selling insurance, working on the code, not giving me much extra time to build websites. I'm working on other peoples websites too, at the same time. Fixing to have to hire people to do some of the work.
Selling insurance, working on the code, not giving me much extra time to build websites. I'm working on other peoples websites too, at the same time. Fixing to have to hire people to do some of the work.
You just need to sleep less to keep all these projects going. May I suggest no more that 3 hours a night?
Seriously though, I wasn't criticizing and hope it wasn't taken as such. I just figured feedback is always good when offered in a positive way. You clearly know tons more than I do about computers, although I do dabble some. Keep up the good work! CHEERS!!!
- Thread starter
- #49
- 2,024
Nah I don't even take criticism as criticism if that makes any sense, I just didn't think about the notification when I was doing it I'm glad someone pointed it out.
Suggestions to improve anything are always help, not criticism. This project itself is all off open source software also, so if people want to modify or suggest modifications or do them themselves, it could be added to the software if it would benefit others.
Suggestions to improve anything are always help, not criticism. This project itself is all off open source software also, so if people want to modify or suggest modifications or do them themselves, it could be added to the software if it would benefit others.
Similar threads
