Mautic Security & Limiting Access

Hey everyone!



I am looking for documentation on how best to secure Mautic from outside access. I am unable to find any decent documentation on how best to secure the Mautic installation. I feel like having an article on this topic would be extremely beneficial to the Mautic community.



I’d like to lock down the ability to login to Mautic. In WordPress land, there are plugins like “Login Lockdown” that will limit login attempts at the software level - after X number of login failures, the software will actually block that IP address. I am looking to do something similar with Mautic, maybe even limit logins by IP address. But with this added security, whatever I do, I want to make sure the tracking pixel, email assets, and landing pages are still accessible. I’d really only like to limit access to the login at: domain.com/s/login



I am running on a LEMP stack - I’d prefer not to lock things down at that level. It makes the most sense to lock login access down at the Mautic software level.



In my particular Mautic installation, only company employees will be logging into Mautic. I see that Mautic has the ability to allow customers to update their information, but that is not something we will be doing.



I really appreciate anyone who can help me better understand how to secure Mautic.








Hey everyone!

I am looking for documentation on how best to secure Mautic from outside access. I am unable to find any decent documentation on how best to secure the Mautic installation. I feel like having an article on this topic would be extremely beneficial to the Mautic community.

I’d like to lock down the ability to login to Mautic. In WordPress land, there are plugins like “Login Lockdown” that will limit login attempts at the software level - after X number of login failures, the software will actually block that IP address. I am looking to do something similar with Mautic, maybe even limit logins by IP address. But with this added security, whatever I do, I want to make sure the tracking pixel, email assets, and landing pages are still accessible. I’d really only like to limit access to the login at: domain.com/s/login

I am running on a LEMP stack - I’d prefer not to lock things down at that level. It makes the most sense to lock login access down at the Mautic software level.

In my particular Mautic installation, only company employees will be logging into Mautic. I see that Mautic has the ability to allow customers to update their information, but that is not something we will be doing.

I really appreciate anyone who can help me better understand how to secure Mautic.

Thanks for the quick reply, @MxyzptlkFishStix. I was leaning on a server level block/whitelist and I think that’s what I’ll do.

On a side note, what files would/should I include on the whitelist?

I know the /s/login page - but are there other files and directories that should be included as well? The Mautic documentation on the security end is very sparse, at least from what I have been able to find.

If you have a URL that I should read, please send it my way.

Thanks again!!!

Hi, may I join as I have the same concern, how to secure Mautic installation?

Aside from having SSL on the site, does restricting to limited authorized IPs affects the data gathering from channels like email tracking? Tried already to restrict from htaccess but noticed that the Email Read statistics became zero.

Thanks a lot in advance.

[quote=17000:@raleigh]Hi, may I join as I have the same concern, how to secure Mautic installation?

Aside from having SSL on the site, does restricting to limited authorized IPs affects the data gathering from channels like email tracking? Tried already to restrict from htaccess but noticed that the Email Read statistics became zero.

Thanks a lot in advance.[/quote]
.htaccess rules cover the entire directory, don’t use them to secure or you’ll also lose access for people clicking on landing pages, tracking pixel etc.

SSL will only encrypt data transmission, it won’t protect you from brute force logins.
Limiting access to sensitive pages like the login page, dashboard, etc. by IP is the way to go.

interesting i have on workaround solution that im testing…

@ninjoan any news?? I have tried .htaccess but it didn’t work. And I couldn’t implement what @MxyzptlkFishStix suggested

I am also securing the email previews, since they are not part of /s/ URL and can, thus, be accessed even when not logged in.

<Location /email/preview> AllowOverride All Order Allow,Deny Allow from SOME_TRUSTED_IP </Location>

Best,
D

Hi,
Can you share your solution ?
Did you modify your apache conf or your .htaccess ?

Thanks

Hi folks
Do you know if is coming a brute force attack plugin or something that prevents massive attemps to login page. Restrict the login page whit certain IP range is not an option for me.
Thank you!
Regards