Announcement

Collapse
No announcement yet.

SECURITY: All Required Network Ports Used by Typical EspoCRM Deployment?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SECURITY: All Required Network Ports Used by Typical EspoCRM Deployment?

    Hello Everyone!

    Intro
    I run a small IT department for a furniture manufacturer and we're always striving to operate in an industry-leading best-practices capacity as we try to modernize our systems and make people's work lives easier and more efficient. This is especially true as it concerns our overall operational security! Starting last year and continuing into this year, we've seen an absolutely unprecedented amount of high-profile ransomware cyber attacks on companies of all sizes. Small businesses especially are favored targets, making up more than half of ransomware attacks carried out in total! This is because companies of our size usually have overlooked and weak IT security practices, well NOT MY DEPARTMENT!!

    We had this idea to create a list of absolutely required network ports in order for all functions of EspoCRM to function correctly, and maybe this can even serve as a living document moving forward. We constantly see bots and foreign IPs knocking at our door on our public VPN portal, and we also get bombarded with a good amount of email spam, so to that end we take our network security very seriously. We try to keep our footprint on the public Web as minimal as possible by keeping our router/firewall appliance as locked down as we can make it, and the internal firewalls on our LAN-based servers and web applications are no exception!

    I'm targeting November 1st for a final Production deployment of EspoCRM for my company. It'll be deployed on an up-to-date Ubuntu LAMP-stack on-premise VM, and will be accessed by in-house local users as well as remote users over our VPN. I essentially want this VM as hardened as possible, so we'll build a table here to start figuring this out atleast as it pertains to my environment...

    EspoCRM Local Network Ports
    Protocol Port Number Direction Purpose
    TCP 22 Ingress Secure Shell (SSH) / Secure Copy Protocol (SCP)
    TCP 25 Egress Simple Mail Transfer Protocol (SMTP)
    TCP/UDP 53 Egress Domain Name Server (DNS)
    TCP 80 Ingress/Egress Hypertext Transfer Protocol (HTTP)
    TCP 143 Egress Internet Message Access Protocol v4 (IMAP4)
    TCP/UDP 389 Egress Lightweight Directory Access Protocol (LDAP)
    TCP 443 Ingress/Egress Hypertext Transfer Protocol Secure (HTTPS)
    TCP 465 Egress Simple Mail Transfer Protocol Secure (SMTP over SSL)
    UDP 514 Egress SysLog (we use Wazuh Agent, also free & open-source!)
    TCP 587 Egress Simple Mail Transfer Protocol (SMTP) Encrypted
    TCP/UDP 636 Egress Lightweight Directory Access Protocol over SSL (LDAPS)
    TCP 993 Egress IMAP4 over SSL (IMAPS)
    TCP 995 Egress Post Office Protocol v3 (POP3)
    TCP/UDP 5069 Ingress/Egress Session Initiation Protocol (SIP)


    Now since our database is local to the VM EspoCRM is running, I don't think there's any need to open that up. We initially won't have VoIP enabled right away, as we're trying to migrate to another platform which will integrate well with the EspoCRM VoIP extension. We're also a Google Workspace environment (for now) and I believe all OAuth, Email, & Calendar communication simply talk through the Google API over HTTPS via the Google Intregration extension, so I don't think I even need any email protocols enabled either? Haven't decided if we'll use Google API or local LDAP for authenticating our users yet, but we potentially won't need LDAP enabled either if we fully-utilize the Google API.

    SO... Can anyone think of anything I might be missing here? We're essentially going to set the firewall on the LAMP server running EspoCRM to DENY ALL with the few necessary exceptions configured from my table above. We'll also configure which IP subnets the Ubuntu UFW will allow connections from, which will really only be the subnet our VPN users are on as well our local LAN's subnet for in-house computers.

    Feel free to share any specific or unusual port requirements for your respective environments, as they may help others in the community similarly harden their own CRM hosts. Any tips are also of course more than welcome!

    I'm also curious if paid cloud deployments of EspoCRM handle network and port security in a similar fashion? And if there's any best-practices there that can be similarly applied to on-premise/self-hosted environments?

    Hope this write-up isn't too long... THANKS!!!

  • #2
    Hello,
    just with my english.. you only need open 443 tcp ..
    ftps/ssh you can open by VPN

    I have a espoCRM accessible on port 443.. and i have configured to accept only "country IP" in nginx.

    you must implement 2FA .. restrict a max in nginx .. and only open 443 port.

    it's what i have do.

    Best Regards

    Comment


    • #3
      Good to have another expert on the forum Zosh !

      I'm using shared hosting by a hosting company at the moment (will probably look into self hosting late next year once I'm more confident). As a security measure, recently we block all non-country IP as we only serve locally (no problem of the website yet).

      Secondly we only use within the business so no portal access, which in theory reduce the chance of people knowing our website and trying to attack it.

      That doesn't mean we are safe at the moment though, we use a Firewall plugins on our website (wordpress) and it always worrying seeing the weekly report that they send, for example: "probing for vulnerability: 5"

      I make a Learning post here if anyone want to block it like me, it probably similar to item blocking but nginx and apache (htaccess) is slightly different: https://forum.espocrm.com/forum/gene...3878#post73878

      Comment


      • #4
        Hello Zosh you're right - security is a big thing. I'm more the guy who thinks "let's whitelist only what we have to allow" then "let's block what we don't need". EspoCRM is an open source project, but it's not too big for now. Especially if we're talking about develoeprs which are behind it. So it's possible that there are some security holes that we don't know about yet. WordPress & Woocommerce are much bigger and they have security discovers every few months(?).

        From my point of view you should only open 443 port. It'll give access to everything: web gui, api endpoint.

        Of course if you're looking for security features, then EspoCRM already implemented a lot of them. I even recorded video about that(small advertisment). Here you have a list of features:

        - How to check security options in your EspoCRM?
        - How to setup LDAP server as authentication method?
        - How to define token lifetime?
        - How to allow only one session per user?
        - How to define max idle time for token?
        - How to enable 2FA?
        - How to force 2FA on regular users?
        - How to define length of generated passwords?
        - How to define minimum password length?
        - How to define amount of letters in password?
        - How to require upper and lower case in password?
        - How to define minimum amount of digits in password?
        - How to disable password recovery?
        - How to disable password recovery for admin users?
        - How to prevent email address exposure on password recovery form?
        - How to allow password recovery only for portal users, not internal?
        - How to allow for access to your EspoCRM only from trusted ip's?

        If you worry about your crm, than last feature(it's not actually in EspoCRM, but it's available on every www server). Once, someone even said that if you want something to be safe, disconnect it from the internet

        I asked few times for security features even in 2018. It's getting better imo The most important change was implementation of 2FA I'm still looking for:
        1. Recaptcha on login page
        2. Blocking bad logins after few requests
        3. Logs for API - maybe it was already implemented? Idk
        4. Possibility to define IP addresses for API users connections
        5. In europe now there is new law for banking and in Poland for example we have to authorize login from new device with sms code. It would be great if user after login from new device have to enter for example code from email message.

        Comment


        • #5
          Haaa i have forget,
          as we have a HA datacenter at office, i do what i will
          so i have a VM who do only "reverse proxy", it's a debian nginx as reverse proxy.
          espoCRM is on other VM

          firewall:443 -> vm ssl reverse proxy:443 -> vm espocrm
          like this https://dzone.com/articles/nginx-rev...load-balancing

          Comment


          • Zosh
            Zosh commented
            Editing a comment
            Interesting, I'm not familiar with this reverse proxy stuff. I will research this, thanks!!

        • #6
          item same here, but i'm using haProxy on my pfSense router

          Comment


          • Zosh
            Zosh commented
            Editing a comment
            Nice!! We actually have plans to ditch our old bottleneck Cisco ASA for a Netgate 1537 and start down the pfSense road ourselves soon!

          • emillod
            emillod commented
            Editing a comment
            Be careful, it's addictive :P

        • #7
          Alrighty, so are you guys telling me literally the only inbound port EspoCRM requires to function correctly is 443 for normal https web traffic?

          The web server our EspoCRM instance runs does indeed only accept connections from IPs our in-house and remote computers would connect from, and blocks all others.

          Currently our Cisco router/firewall doesn't seem to actually have the ability to block country IPs, either that or it requires a license which we definitely don't have. This is certainly something we'll plan for on our next NGFW!

          Comment


          • #8
            Yes,

            for me, you need at office :
            - a vm dns
            - a vm reverse proxy
            - vm espoCRM
            - on firewall -> open port tcp 443 -> vm reverse proxy (10.22.33.44)

            on provider dns :
            ours.crm.com -> your external IP Fixe

            on vm dns internal :
            ours.crm.com -> 10.22.33.44 = IP internal vm reverse proxy

            on vm reverse proxy
            install letsEncrypt
            configure domaineName en redirect to -> vm espocrm (10.22.33.45)

            on vm espocrm :
            IP sample : 10.22.33.45
            so when you upgrade or ftp : ssh blabla@10.22.33.45

            So you can only reach vm espocrm other port (ssh.. ) at office by IP or by VPN

            You need always a "reverse proxy".. for different tunning/security.. or for many instance of website/espocrm

            One VM by Database, so if you have 2 crm.. 2 vm
            Last edited by item; 09-04-2021, 11:25 AM.

            Comment


            • Zosh
              Zosh commented
              Editing a comment
              I see, is your CRM in a remote location? Our CRM along with its DB is all hosted on-premise on a VM behind our firewall. Our firewall also hosts our VPN which users must authenticate with and log into if they want to access any of our on-prem services and applications... Is what you describe still relevant/beneficial for our type of environment?

          • #9
            Hello,
            if you only need access to application by user with VPN .. then it's not relevant.
            espoCRM is a web application, so no need open special port.. if you have special application.. then of course you need "brainstorm" more..
            (we have a old application who need vpn and only work by vpn)

            if you think in futur, access without VPN.. then you certainly must do what i explain on post above.

            For your question, no, we do all on-premise.. one web application have outside access without vpn, other is inside on lan and only access by vpn. (as explain above)

            Comment


            • #10
              Interesting. I'm using pfSense and i have domain redirected by dns provider to my ip. And PfSense on firewall allow only specific ip's

              Comment

              Working...
              X