I’m on version 21.0.4, installed on a remote server that I access over the Internet. To feel safe, I have configured the firewall to allow connections only from my office IP, my accountant’s IP, and a fixed IP provided by NordVPN, so I can connect from my laptop when I’m out of the office. With this setup, I feel reasonably safe, but some functionalities in Dolibarr are blocked, such as credit card payments and downloading documents from the server, like price offers.
What is your opinion on stopping the use of the firewall? Is the risk too high, or can it be managed?
Nothing is 100% safe, I suppose the real question is if the gains from the blocked functionalities are important enough to open things up.
Another way to do it would be to put a website like WordPress, Prestashop, etc. on the frontend to process orders and payments. Give the website access to use the API to update data in Dolibarr. This opens things up while limiting surface of attack to your ERP.
I know lots of Dolibarr servers are open to the web. With good web server, proper Dolibarr setup and some security hardening it is safe. Also good to have backups too.
Thanks for your time! I run the site on my own dedicated VM with OVH. I use Debian 12 with Virtualmin/Webmin, so I believe the server setup is fine.
I mainly sell B2B with payment terms of around 30 days by invoice. Although I mention credit cards, I rarely receive card payments, so I find setting up the structure you suggested a bit of an overkill.
What do you mean by “security hardening”? As far as I know, I’ve followed all recommended security instructions.
I also have a rigorous backup routine: every morning a full backup is made and sent to two different locations, and every 20 minutes a differential backup is created and sent to the same locations. In addition, OVH performs a full server backup every night, which is retained for one week.
My concern is that, in case of an attack, the attacker might gain access to my backup settings (except for the OVH backups) and delete them.
Hey, i’m working on implement a WHITE LIST filter to login on my module TOTP 2FA:
By now you can only filter IPs by Country, but someone suggested to me implement a filter directly by certain IPs, so white list method: you define some IPs to have permission to login.
We use OVH, the application and DB should be in seperate VM’s/cloud instances with a firewall in between …the DB should only be accessible by the application server and not directly available on the internet.
