Security

We do care about security

We make every effort to secure our servers at the operating system and networking level.  
Here are some of the activities we run everyday:

  • SSL

    SSL (Secure Sockets Layer)  enables you to send data securely between your web site and your visitors. SSL certificates can also prove your identity to visitors. 

  • Perpetual Security on our servers

    Server security is important, and the Perpetual Security initiative contains several features that help protect your instance from malicious actors. 

    These are some actions we take every dat to secure our servers:

  • KernelCare is a software extension that allows us to update our kernel’s security on a daily basis without needing rebooting our servers. KernelCare is a key feature of our Perpetual Security initiative. 

  • The main advantages of KernelCare:
    – Fast updates.
    – No downtime because no reboot is needed.
    – Ensures kernel has latest security updates.
    – Automatic security updates.

  • HackScan malware protection runs 24 hours a day, 7 days a week to help block attacks before they can damage your site. 

  • Root SSH access disabled. Our servers uses a different SSH port (7822) from the default port (22), which helps reduce the number of bots attempting to scan and access our servers. Additionally, we had disable root SSH access to increase security.


    – Maintaining an up-to-date server with the latest patches and fixes is crucial for us to maintain a more secure server. We ensure the operating system is up to date with the latest security patches, and we proactively monitor network connections and performance. In addition, we have a partnership with Patchman to provide additional security. Patchman automatically fixes software vulnerabilities in  web applications.

    – Set up of Firewalls. A firewall enables to control incoming and outgoing network packets. We use the Advanced Policy Firewall (APF) to explicitly grant and deny access to selected IP addresses, as well as to selected services running on the server.

    – Software vulnerabilities. We continuously update our software applications (PHP, Apache, MySQL, etc) to avoid security vulnerabilities that malicious actors can exploit using automated scripts. 

    – Using of CloudFlare. Cloudflare is a content delivery network (CDN) service that blocks threats and limits abusive bots before they reach the web server. This increases security and reduces wasted bandwidth.

  • Hardening servers with fail2ban

    The fail2ban program helps secure our servers against unauthorized access attempts by monitoring log files for suspicious activity. After a predefined number of failed access attempts from an IP address, fail2ban automatically blocks it.

    The fail2ban application monitors server log files for intrusion attempts and other suspicious activity. After a predefined number of failures from a host, fail2ban blocks its IP address automatically for a specific duration. It is particularly effective in reducing the risk from scripted attacks and botnets.

Protected E-mail

  • Spam E-mail. Unwanted e-mail (spam) can be a major hassle, as well as a potential security risk. All of our e-mails services are setup with Spam Filters.

    Our e-mail is powered by Apache SpamAssassin, it uses scores to rate the likelihood that a message is spam. 

* If your Outgoing email is marked as Spam please follow these directions.
  • MailChannels – Email Account Protection
    We use an email relay service called MailChannels. It helps us identify any spammers, improves email reputation and ensures reliable delivery of our customers’ email. It ultimately helps us stay one-step ahead of spammers.


    MailChannels was designed to relieve the time, cost, and frustration of safeguarding against blacklisting and harmful spam. Spammers work with cybercriminals to exploit weaknesses in email accounts and use them to send waves of email messages which could be anything from simple marketing to criminal phishing scams and even hidden malware. Such emails coming from your company could have devastating consequences. Being able to filter every outgoing email is a huge step in stopping cybercriminals from taking advantage of an email account.

Dolibarr application security

Dolibarr implements several security features. Among them :

Encryption

  • User passwords are encrypted in database
  • Database technical password is obfuscated.
  • Internal WAF and web page headers used. 
  • Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system. 
  •  

Pages and files access

  • Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module).
  • Files saved by Dolibarr are stored in a different root directory than web application (so they can’t be downloaded without passing by the Dolibarr wrapper). 
  • Dolibarr directories content can’t be accessed even if Apache option Indexes has been forgotten to on.
    •  

Login protection

  • Delay anti brute force cracking on login page.
  • Option for graphical code (CAPTCHA) against robots on login page.
  • Restrict access to backoffice for some IP only.
  • No passwords in logs, even in technical logs.
  • Internal logger to save permanently all Dolibarr events about user’s administration and successful or failed logins or administration events (user or group or permission changes).
  • Output a log record into a log file.
  • Possibility to force HTTPS.
    •  

* These solutions are part of protection used to solve vulnerabilities classified by the OWASP Top Ten at range number X.

TLS and cipher suites update for December 2019

Our servers supports TLS v1.2 and 1.3. Our servers at UnboxERP takes cybersecurity seriously, and as a result, we’ve updated our encryption and security technologies. All sites utilizing SSL certificates (also known as HTTPS) support TLS 1.2 and 1.3.

Going forward, our sites with SSL certificates will no longer support TLS 1.0 or 1.1 due to security vulnerabilities associated with them. Most users will not feel any effects of this change. However, the restriction of TLS 1.0 and 1.1 will prevent users of legacy devices from reaching websites using SSL. 

Expert Anti-DDoS Defense

  • While we can’t guarantee for any newest DDoS attack, we can guarantee you that we have the tools in place to increase the likelihood that your Instance will not be impacted by these malicious actions. It all starts with our high capacity Reinforced DDoS Protection designed to expertly locate an attack and to provide quick mitigation if one occurs.

    Rest assured that we have DDoS alerts, detection and defense in place. Referred to as null routing, DDos Defense temporarily brings down your Dolibarr, changes your IP and re-enables your application for a period of time until the attack stops.

    What Is A Distributed Denial Of Service (DDoS) Attack Anyway?

    A DDoS attack is when multiple computers, most likely compromised, attempt to maliciously take websites and online services offline by flooding them with unwanted traffic. The goal of this traffic is to overwhelm the service so they become unavailable for the site’s legitimate users. For someone who isn’t technical, the only sign of an attack is severe performance issues on your server. The server might even crash.

Some additional things you can do

  • Choosing strongs passwords. 
    You play a major part in ensuring that your site remains as secure as possible. Using a strong password is vital for your account’s security. Learn how to do it.

  • Email phishing scam attempts
    Email phishing attempts aim to glean your identifying information for nefarious purposes such as identity theft. It’s best to stay informed and keep a few tricks in mind to prevent yourself from becoming the victim of a phishing attack. Learn how to do it

Copyright © 2021 Unbox ERP and CRM Solutions. Privacy policy and notice. Terms and Conditions