Is there any security best practices for securing SuiteCRM? I’m using it for a very small organization, but I want to make sure the server and data is protected from baddies. I have looked around but cannot find anything describing how to ensure someone does not mess with the app or data or use it to get broader access to the server. I found a 5 year old post about fail2ban, but would appreciate something more recent, and certainly broader.
I am happy to pull together resources if you want to point me at individual nuggets.
Hi. I don’t know of any resources specific to SuiteCRM with a lot of advice. But you should be ok if you just follow generic PHP/Apache security advice.
I just recommend removing the “world” permissions altogether by setting the appropriate zeroes:
sudo chown -R www-data:www-data .
sudo chmod -R 750 .
sudo chmod -R 770 cache custom modules themes data upload
sudo chmod 770 config_override.php 2>/dev/null
NOTE that that www-data needs to be replaced by the user name that your web server is running under.
This SugarCRM documentation might also help, although some things might not apply to SuiteCRM: https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_7.9/Security/Web_Server_Configuration/index.html