Tweet
SECURITY: All Required Network Ports Used by Typical EspoCRM Deployment?
Hello Everyone!
Intro
I run a small IT department for a furniture manufacturer and we're always striving to operate in an industry-leading best-practices capacity as we try to modernize our systems and make people's work lives easier and more efficient. This is especially true as it concerns our overall operational security! Starting last year and continuing into this year, we've seen an absolutely unprecedented amount of high-profile ransomware cyber attacks on companies of all sizes. Small businesses especially are favored targets, making up more than half of ransomware attacks carried out in total! This is because companies of our size usually have overlooked and weak IT security practices, well NOT MY DEPARTMENT!!
We had this idea to create a list of absolutely required network ports in order for all functions of EspoCRM to function correctly, and maybe this can even serve as a living document moving forward. We constantly see bots and foreign IPs knocking at our door on our public VPN portal, and we also get bombarded with a good amount of email spam, so to that end we take our network security very seriously. We try to keep our footprint on the public Web as minimal as possible by keeping our router/firewall appliance as locked down as we can make it, and the internal firewalls on our LAN-based servers and web applications are no exception!
I'm targeting November 1st for a final Production deployment of EspoCRM for my company. It'll be deployed on an up-to-date Ubuntu LAMP-stack on-premise VM, and will be accessed by in-house local users as well as remote users over our VPN. I essentially want this VM as hardened as possible, so we'll build a table here to start figuring this out atleast as it pertains to my environment...
EspoCRM Local Network Ports
Now since our database is local to the VM EspoCRM is running, I don't think there's any need to open that up. We initially won't have VoIP enabled right away, as we're trying to migrate to another platform which will integrate well with the EspoCRM VoIP extension. We're also a Google Workspace environment (for now) and I believe all OAuth, Email, & Calendar communication simply talk through the Google API over HTTPS via the Google Intregration extension, so I don't think I even need any email protocols enabled either? Haven't decided if we'll use Google API or local LDAP for authenticating our users yet, but we potentially won't need LDAP enabled either if we fully-utilize the Google API.
SO... Can anyone think of anything I might be missing here? We're essentially going to set the firewall on the LAMP server running EspoCRM to DENY ALL with the few necessary exceptions configured from my table above. We'll also configure which IP subnets the Ubuntu UFW will allow connections from, which will really only be the subnet our VPN users are on as well our local LAN's subnet for in-house computers.
Feel free to share any specific or unusual port requirements for your respective environments, as they may help others in the community similarly harden their own CRM hosts. Any tips are also of course more than welcome!
I'm also curious if paid cloud deployments of EspoCRM handle network and port security in a similar fashion? And if there's any best-practices there that can be similarly applied to on-premise/self-hosted environments?
Hope this write-up isn't too long... THANKS!!!
Intro
I run a small IT department for a furniture manufacturer and we're always striving to operate in an industry-leading best-practices capacity as we try to modernize our systems and make people's work lives easier and more efficient. This is especially true as it concerns our overall operational security! Starting last year and continuing into this year, we've seen an absolutely unprecedented amount of high-profile ransomware cyber attacks on companies of all sizes. Small businesses especially are favored targets, making up more than half of ransomware attacks carried out in total! This is because companies of our size usually have overlooked and weak IT security practices, well NOT MY DEPARTMENT!!
We had this idea to create a list of absolutely required network ports in order for all functions of EspoCRM to function correctly, and maybe this can even serve as a living document moving forward. We constantly see bots and foreign IPs knocking at our door on our public VPN portal, and we also get bombarded with a good amount of email spam, so to that end we take our network security very seriously. We try to keep our footprint on the public Web as minimal as possible by keeping our router/firewall appliance as locked down as we can make it, and the internal firewalls on our LAN-based servers and web applications are no exception!
I'm targeting November 1st for a final Production deployment of EspoCRM for my company. It'll be deployed on an up-to-date Ubuntu LAMP-stack on-premise VM, and will be accessed by in-house local users as well as remote users over our VPN. I essentially want this VM as hardened as possible, so we'll build a table here to start figuring this out atleast as it pertains to my environment...
EspoCRM Local Network Ports
| Protocol | Port Number | Direction | Purpose |
| TCP | 22 | Ingress | Secure Shell (SSH) / Secure Copy Protocol (SCP) |
| TCP | 25 | Egress | Simple Mail Transfer Protocol (SMTP) |
| TCP/UDP | 53 | Egress | Domain Name Server (DNS) |
| TCP | 80 | Ingress/Egress | Hypertext Transfer Protocol (HTTP) |
| TCP | 143 | Egress | Internet Message Access Protocol v4 (IMAP4) |
| TCP/UDP | 389 | Egress | Lightweight Directory Access Protocol (LDAP) |
| TCP | 443 | Ingress/Egress | Hypertext Transfer Protocol Secure (HTTPS) |
| TCP | 465 | Egress | Simple Mail Transfer Protocol Secure (SMTP over SSL) |
| UDP | 514 | Egress | SysLog (we use Wazuh Agent, also free & open-source!) |
| TCP | 587 | Egress | Simple Mail Transfer Protocol (SMTP) Encrypted |
| TCP/UDP | 636 | Egress | Lightweight Directory Access Protocol over SSL (LDAPS) |
| TCP | 993 | Egress | IMAP4 over SSL (IMAPS) |
| TCP | 995 | Egress | Post Office Protocol v3 (POP3) |
| TCP/UDP | 5069 | Ingress/Egress | Session Initiation Protocol (SIP) |
Now since our database is local to the VM EspoCRM is running, I don't think there's any need to open that up. We initially won't have VoIP enabled right away, as we're trying to migrate to another platform which will integrate well with the EspoCRM VoIP extension. We're also a Google Workspace environment (for now) and I believe all OAuth, Email, & Calendar communication simply talk through the Google API over HTTPS via the Google Intregration extension, so I don't think I even need any email protocols enabled either? Haven't decided if we'll use Google API or local LDAP for authenticating our users yet, but we potentially won't need LDAP enabled either if we fully-utilize the Google API.
SO... Can anyone think of anything I might be missing here? We're essentially going to set the firewall on the LAMP server running EspoCRM to DENY ALL with the few necessary exceptions configured from my table above. We'll also configure which IP subnets the Ubuntu UFW will allow connections from, which will really only be the subnet our VPN users are on as well our local LAN's subnet for in-house computers.
Feel free to share any specific or unusual port requirements for your respective environments, as they may help others in the community similarly harden their own CRM hosts. Any tips are also of course more than welcome!
I'm also curious if paid cloud deployments of EspoCRM handle network and port security in a similar fashion? And if there's any best-practices there that can be similarly applied to on-premise/self-hosted environments?
Hope this write-up isn't too long... THANKS!!!
The most important change was implementation of 2FA 
Comment