Dolibarr, a popular open-source ERP/CRM among many companies, is a versatile tool for managing invoicing, customer relations, inventory, and even accounting. However, like any software handling sensitive information, it requires specific configuration and maintenance to avoid security flaws. In this article, we’ll review the main best practices to effectively secure your Dolibarr instance.
1. Enabling and Configuring HTTPS
1.1. Why Switch to HTTPS?
The HTTPS protocol ensures that communication between your browser and the Dolibarr server is encrypted. As a result, passwords, personal information, or billing data are not transmitted in clear text over the network, greatly reducing the risk of interception (such as man-in-the-middle attacks).
1.2. Obtaining and Installing an SSL/TLS Certificate
- Let’s Encrypt Certificate: Free and automated, suitable for most businesses. Simply follow the instructions of the Certbot client (or equivalent) to generate and install the certificate.
- Paid Certificate: For higher validation levels (OV, EV), you can opt for a certificate from a recognized Certificate Authority.
- Server Configuration: Once you have your certificate, enable the SSL module (on Apache) or configure the
server { ... }
block for HTTPS (on Nginx). Be sure to enforce HTTP→HTTPS redirection to prevent unsecured access.
2. Managing User Rights and Access
2.1. Roles and Permissions
Dolibarr features a granular permissions system. Each module (invoicing, CRM, accounting, etc.) can be linked to specific roles (administrator, sales representative, accountant, etc.), which restricts access only to the features each user requires.
- Principle of Least Privilege: Grant users only the rights they actually need for their work.
- Regular Reviews: Regularly review the list of users and their permissions, especially when an employee leaves or changes positions.
2.2. Password and Authentication Policies
- Complex Passwords: Require a minimum length (8, 10 characters or more), mixing upper/lowercase letters, numbers, and special characters.
- Two-Factor Authentication (2FA): Although Dolibarr doesn’t natively integrate 2FA, you can implement external solutions (reverse proxy, VPN, etc.) to strengthen access.
- Session Management: Set a reasonable session timeout. After a certain period of inactivity, the user should be prompted to log in again.
3. Regular Backups and a Recovery Plan
3.1. Why Backup?
A hardware failure, user error, or malicious attack can result in partial or total data loss. Regular backups ensure you can restore your information and limit impact in the event of an incident.
3.2. Backup Strategy
- Frequency: Adjust the frequency (daily, weekly, etc.) based on how critical your data is. The more frequently Dolibarr is used, the more often you should back up.
- Retention: Keep multiple versions of your backups so you can revert to an earlier state if an issue is discovered later on.
- External Storage: Store backups on a different server, a NAS, or a secure cloud service so they aren’t compromised along with the main system.
3.3. Restoration Procedures
- Test Your Backups: A backup is only as good as your ability to restore it. Regularly perform test restorations in a test environment to verify file integrity and confirm the process runs smoothly.
- Documentation: Draft a clear, detailed procedure so the technical team knows exactly how to restore Dolibarr if necessary.
4. Updates and Technology Monitoring
4.1. Keeping Dolibarr Up to Date
The Dolibarr community regularly releases updates that include:
- Bug fixes,
- Security patches,
- Performance improvements.
Installing these updates as soon as they become available (after testing them in a dedicated environment) is one of the best ways to protect against known vulnerabilities.
4.2. Updating the Server Environment
- Operating System (Linux, Windows, etc.): Apply kernel and package updates as soon as they’re available.
- LAMP/LEMP Stack: Keep recent versions of Apache/Nginx, PHP, and MySQL/MariaDB to avoid critical, well-known vulnerabilities.
- Extensions and Modules: Check that any external plugins or Dolibarr modules you use are also up to date, since a vulnerability in a module can compromise the entire application.
5. Security Audits and Monitoring
5.1. Security Logs
Dolibarr generates logs (log files) that can inform you of abnormal access or recurring errors. Be sure to:
- Enable an Appropriate Log Level (errors, warnings, etc.),
- Review These Logs Regularly to detect intrusion attempts or suspicious logins.
5.2. Audits and Penetration Testing
- Frequency: Annual or semi-annual security audits can help identify potential vulnerabilities.
- Tools: You can use vulnerability scanners (OpenVAS, Nessus, etc.) or hire security professionals for thorough penetration testing.
- Follow-Up Action: Address any identified vulnerabilities as quickly as possible and verify fixes if necessary.
6. Additional Best Practices
6.1. Securing Your Network
- Firewall: Limit open ports and only allow access to necessary services (SSH, HTTPS, etc.).
- VPN: For remote employees, a VPN secures the communication channel to the Dolibarr server.
6.2. Environment Segmentation
- Test Environment: Maintain a separate Dolibarr instance to test updates and new modules before deploying them to production.
- Network Segmentation: If possible, isolate the database on a dedicated server or in a separate subnet (DMZ), reducing the overall attack surface.
6.3. User Awareness
- Training: Educate your teams about best practices (password security, phishing, etc.).
- Internal Procedures: Implement clear processes (account creation/deletion, approval levels, etc.) to minimize the risk of human error.
Conclusion
Securing your Dolibarr installation is a continuous process, from the initial setup and managing user rights and access, to implementing an effective backup policy and staying vigilant about updates and potential vulnerabilities. It’s essential to view security as a strategic investment in your company’s long-term success.
By applying the best practices outlined in this guide—HTTPS, precise user management, regular backups, frequent updates, and security audits—you’ll greatly reduce the risk of incidents and ensure the confidentiality and integrity of your data. Don’t hesitate to seek support from the Dolibarr community and security experts as you move forward with these measures.