You are putting yourself and your data at risk

Many members in this community rely on DIY to deploy their production instances of ErpNext, some knows what they are doing and have knowledge about linux and securing servers … etc and thats awesome, but others have minimalistic knowledge when it comes to linux and server patching, upgrading, and securing. You can see that if you follow post in here for people seeking help in upgrading, installing and dealing with basic errors. You will see logs of systems that never been patched, vulnerable libraries, lack of ssl … …etc. they even leave their public ip in the error logs … it makes you really wonder especially with product like erp that handles sensitive information.

ErpNext team did a great job simplifying the installation and updating process; however, ErpNext is only as secure as the server thats is deployed on, so when your instance is working and no breach yet doesn’t mean everything is fine.

All I’m saying is if you are going to host your own instance learn the basics of linux and securing servers, or at least hire a freelancer to do the initial installation, securing, and patching

I’m not a provider and also I don’t offer any kind of freelance, I’m only posting this because I don’t want those who deployed their production erpnext without knowing exactly what they are doing to blame ErpNext as a product when s*** hit the fan.

17 Likes

@ganas adding one more point.
Activate dropbox or any alternative backup so when update fails/ server crash you can easily restore your backup.

Regards,
Sambhaji Kolate,

3 Likes

I agree with this. Whilst the installer does install the latest versions of most packages and also creates a new user specifially for bench, things like the firewall, having a better SSH daemon config, having fail2ban are essential for security.

There’s a pretty good blog post regarding what you should do in the first 10 mins of booting up a server (Ubuntu in this case, but it applies to any server) :

It comes down to these things :

  • Setup SSH Key Authentication and remove password authentication and root login
  • Change SSH port from 22 to something else to avoid automated attacks
  • Setup firewall to allow only 80 / 443 / SSH Port for incoming / outgoing traffic
  • Setup fail2ban to automatically ban IPs that seem to be doing shady things
17 Likes

@vjFaLk and the beauty of this is many people has put it all together in a simple Ansible Playbooks to automate all these steps. I’ll share my script with the community after I add comments to it so people who have no Idea will understand more when it runs

6 Likes

That sounds great! In fact, we can merge those into the installer itself.

8 Likes

Hi guys,

I was just setting up my own servers the other day and used this guide: https://www.inversoft.com/guides/2016-guide-to-user-data-security

A little more indepth than the codelitt one and also recommends two-factor authentication

4 Likes

Nothing is ultimately secure. That’s why proper backup-recovery scenario and routine security check on the system are required.

@luckyismail We are not talking about general failover strategy we are talking about security by design. Even for failover backup strategy as you said, in bad deployment a compromised host will allow the attacker to reach the back up and destroy it even if it was in dropbox (a good security by design will avoid such thing). Also the nature of the information in something like ERP system are sensitive, so even if u have back up for it you don’t want it to be out in public.
If you are a malicious person, I swear to you , you can just use the search feature in this forum and fish your targets based on their post :sweat_smile:

@CharleyFBD that was a great read

This is curious, I haven’t seen so many careless posts. Usually you can send PM to make the person aware and edit the post.

I’ve added the warning regarding unique data to the forum rules. That post is a wiki, so everybody is welcome to improve it.

1 Like

@vjFaLk and @CharleyFBD, thank you for the great resources. I am a newbie and just wanted to ask if these tutorials have anything conflicting with ERPNext like default ports used by ERPNext being closed in setting up security or any other errors? And since this is an old post, have you guys found any better articles on the said topic? Thank you.

The only ports that ERPNext needs open to everyone are 22 (SSH), 80 (HTTP) and 443 (HTTPS). That’s all. You don’t need any other ports unless you’re doing something else.

Thank you @vjFaLk. I am an amateur so kindly bear with me, which one is recommended, “Letsencrypt” or a paid SSL certificate?

Absolutely Let’s Encrypt. Also, bench has an inbuilt utility to setup lets encrypt really easily. There is virtually no difference between a Let’s Encrypt cert and a paid one.

5 Likes

Thank you once again :relieved: