Many members in this community rely on DIY to deploy their production instances of ErpNext, some knows what they are doing and have knowledge about linux and securing servers … etc and thats awesome, but others have minimalistic knowledge when it comes to linux and server patching, upgrading, and securing. You can see that if you follow post in here for people seeking help in upgrading, installing and dealing with basic errors. You will see logs of systems that never been patched, vulnerable libraries, lack of ssl … …etc. they even leave their public ip in the error logs … it makes you really wonder especially with product like erp that handles sensitive information.
ErpNext team did a great job simplifying the installation and updating process; however, ErpNext is only as secure as the server thats is deployed on, so when your instance is working and no breach yet doesn’t mean everything is fine.
All I’m saying is if you are going to host your own instance learn the basics of linux and securing servers, or at least hire a freelancer to do the initial installation, securing, and patching
I’m not a provider and also I don’t offer any kind of freelance, I’m only posting this because I don’t want those who deployed their production erpnext without knowing exactly what they are doing to blame ErpNext as a product when s*** hit the fan.
I agree with this. Whilst the installer does install the latest versions of most packages and also creates a new user specifially for bench, things like the firewall, having a better SSH daemon config, having fail2ban are essential for security.
There’s a pretty good blog post regarding what you should do in the first 10 mins of booting up a server (Ubuntu in this case, but it applies to any server) :
It comes down to these things :
Setup SSH Key Authentication and remove password authentication and root login
Change SSH port from 22 to something else to avoid automated attacks
Setup firewall to allow only 80 / 443 / SSH Port for incoming / outgoing traffic
Setup fail2ban to automatically ban IPs that seem to be doing shady things
@vjFaLk and the beauty of this is many people has put it all together in a simple Ansible Playbooks to automate all these steps. I’ll share my script with the community after I add comments to it so people who have no Idea will understand more when it runs
@luckyismail We are not talking about general failover strategy we are talking about security by design. Even for failover backup strategy as you said, in bad deployment a compromised host will allow the attacker to reach the back up and destroy it even if it was in dropbox (a good security by design will avoid such thing). Also the nature of the information in something like ERP system are sensitive, so even if u have back up for it you don’t want it to be out in public.
If you are a malicious person, I swear to you , you can just use the search feature in this forum and fish your targets based on their post
@vjFaLk and @CharleyFBD, thank you for the great resources. I am a newbie and just wanted to ask if these tutorials have anything conflicting with ERPNext like default ports used by ERPNext being closed in setting up security or any other errors? And since this is an old post, have you guys found any better articles on the said topic? Thank you.