How to prevent ERPNext from Hackers

lubem · May 6, 2023, 2:53am

Hello guys.
how do you prevent Erpnext App from hackers when hosted on live server?
common questions ask by customers

NCP · May 6, 2023, 6:01am

To prevent ERPNext App from being hacked when hosted on a live server, you should keep it and its dependencies up to date, use a secure hosting provider, use strong passwords and two-factor authentication, limit access to the system, use a firewall, and monitor for suspicious activity. By following these measures, you can significantly reduce the risk of a successful attack.

Thank You!

willspenc · May 6, 2023, 9:43am

Hi @lubem

If I may add to @NCP 's good suggestions. More specifically about the firewall…
Some of the manual installation methods of ERPNext leaves the database ports open.
If you do not require them to be open, then you could do well to close them.

Disclaimer about my next comment : I am not a hacker-security-expert.
Comment:
Long time ago, I did play , very briefly , with some “hacking software” . This was done mainly
to check the firewalls I had setup on a server. It did seem as if the lack of a ping-response
slow things down for a hacking process. I DID NOT test this scientifically. This however does
impact on network monitoring software like Nagios.

Something which I am currently playing around with , is a VPN. Last year some time, I did
put in a VPN on my one server and I Could access it via the internal IP through the VPN.
So to access the system, you would have to have the required .ovpn file. NB that was on a single
instance system. And this is what I am wanting to test is : how this would work on a
multi-tennant system (sub-domains). I suspect one would add domains to your local hosts file
and then add those to your sites with “bench”. But this needs to be tested.

Also, having an SSL certificate would encrypt your traffic. But I assume you already have that ?

Another thought if I may…
If, like @NCP suggested, you put up a firewall, the ports that should be open are…
22,443,8000 ( 443 -assuming you have SSL-cert) and you need the SSH port for backend
access. Instead of keeping your SSH port at 22, you can make it non-standard. NB. Be carefull
when you do this. If you miss something, you could lock yourself out.

Just some thoughts that I am adding to the list …

snv · May 6, 2023, 11:43am

Why keep port 8000 open? I’d recommend against it.

fkardame · May 7, 2023, 1:14pm

it should be port 80 instead of 8000

snv · May 7, 2023, 1:33pm

Yes, primarily for redirecting HTTP traffic to HTTPS.