Security setup for a public access domain (GoDaddy)

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • mrjdatta
    Junior Member
    • Jan 2020
    • 11

    Security setup for a public access domain (GoDaddy)

    I installed EspoCRM on a local server on my personal machine. I absolutely love the product and I'm going to recommend it for our business application with the advanced pack. I plan on installing it on a shared hosting plan on GoDaddy. I also plan on using the Portals feature to allow customers to login and interact with a subset of the entities. As I prepare to pitch it to the business users, I know they're going to have security concerns.

    Here are my questions:
    1) Is there some documentation on how secure EspoCRM is? We're going to have customer information that needs to be kept safe
    2) Is there a proper way of installing EspoCRM on a publicly accessible domain? I'm guessing the chmod command that I had to run isn't advisable on a public domain

    Thank you!
  • esforim
    Active Community Member
    • Jan 2020
    • 2204

    #2
    The weakness of using shared hosting or a hosting company is you are giving them the possibility to access all your data. I think with VPS or those higher business package you have more control of it but I have personally never use it, those should have encryption and other security measure that you or your I.T guy can control.

    In term of encryption, I don't think most of the data is encrypted, maybe only password is hashed otherwise if you have access to the database file you can review and see everything. There is a few topic on encryption data but with encryption you will risk one flaw: loading time and server overloading.

    HTTPS is not enable by default or can be forced via the interface. I choose my URL to be HTTPS but it still defaulting to HTTP at the moment.

    This CRM and like many other got Security control for User/Department/Team/Portal Group/etc so there that control ability if you ever want to use it.

    Welcome to EspoCRM, I have used quite a few before (over 2 years of switching and changing) and EspoCRM have one feature that I been looking for. Who know I may move on again if I can find another that fit my needs. Hope to see you joining the community.

    Comment

    • mrjdatta
      Junior Member
      • Jan 2020
      • 11

      #3
      Thanks for that information! Noted on the HTTPS settings. I was already anticipating doing that.

      I'm a little less concerned about GoDaddy's ability to access the data, but I really like your suggestion about encrypting the data at rest. I'll test it out and see what performance issues we run into. I'm not expecting a ton of users so it might be acceptable.

      What I'm most concerned about is how secure things are from hackers. I found this article (https://www.cvedetails.com/vulnerabi...6/Espocrm.html) which indicates there's a serious security risk allowing users to traverse directories. But my gut tells me that it's just a matter of removing the install directory. Am I right? I don't think it's required after the initial install.

      Comment

      • item
        Active Community Member
        • Mar 2017
        • 1476

        #4
        Hello,
        This is not a personal blog... then forget shared, you need a good VPS with SSD minimum. i think 4G or 8G ram.
        atfer, a Linux .. i have make Centos7 and now Centos8 .. with all requirement (php module and so and custom setting) .. so you need access root to your VPS.
        you need to configure apache/nginx/mariaDb/php.. and centos firewall, let'sencrypt and so.

        and after you can install espoCRM
        If you could give the project a star on GitHub. EspoCrm believe our work truly deserves more recognition. Thanks.​

        Comment

        • esforim
          Active Community Member
          • Jan 2020
          • 2204

          #5
          Originally posted by mrjdatta
          Thanks for that information!
          That is a good website, to be honest it is quite hard to find more online information of EspoCRM. Most article, blog, etc don't event mention of EspoCRM, honestly I don't even remember how I know about EspoCRM.

          Haven't dig through the website yet and it seem too technical for me either way, but I can see there might be some security flaws. On one of web browser I got a "Partial Unsecured connection" notification on my Firefox's browser when the Protections is enable. Not sure if it due to some image or script.

          Briefly reviewing it, it seem only earlier version that have that issue. Which may post a serious threat to user that do not upgrade, I'm fairly new to the system so haven't got the Update alert yet, but with a giant sidebar on the administration page I would assume the alert to update your EspoCRM would be quite aggressive.

          I believe after discovering these security risk they would email/contact the developer about it to get it fix up, or the developer them self might monitor the page to do hotfix if it serious or a incremental update.
          Last edited by esforim; 01-29-2020, 10:27 PM.

          Comment

          • yuri
            Member
            • Mar 2014
            • 8440

            #6
            Some security recommendations :

            * don't use admin user account for work, only when you need to configure the system
            * use 2-factor auth
            * disable write access for all folders & files except 'custom/Espo/Custom/Resources' and 'data'
            If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

            Comment


            • esforim
              esforim commented
              Editing a comment
              Good plan.

              The 2-factors reduce chance of your account being comprised.

              Hopefully disable those Write Access won't mess up the system. Is that both for Group, Personal & World?

            • yuri
              yuri commented
              Editing a comment
              > Is that both for Group, Personal & World?
              755 (dirs), 644 (files) to start with. Though someone might want more strict.

              I'd also recommend to make owner for all files/dirs not webserver user, and use CLI for upgrading and installing extensions. And leave 'data' and 'custom' with webserver owner to be able to customize via admin panel.
          Working...