This post is based on the discussion on linkedin OpenERP group about security in OpenERP. I thought it would be good to aggregate all the security recommendations at one place for easy reference. If someone who is using OpenERP in production must pay attention to the following security recommendations Please note that this is a work in progress and in no way complete. Please feel free to comment and contribute to this.
1. Use HTTS :
You can use XML-RPC over https to crypt all communications. By default OpenERP works with HTTP. It is important to make it secure by following this link http://doc.openerp.com/install/linux/web/index.html#configure-https This might slow down the performance.
2. Use VPN :
It is desirable to use OpenERP with VPN. This will eliminate any outsider to get access to the system. This can be done by configuring Apache to only accept connections with office network IP.
3. Use SSH Tunneling :
If you are not using either the VPN or HTTPS, another option is to use SSH tunneling.
4. Install base_crypt module :
By default the username and passwords are stored in plain test. It is important to store them in encrypted manner. Install the base_crypt module to do achieve this.
5. Use safe_evals:
While developing python modules or extending existing functionality use safe_evals in python. The latest server verion 5.0.14 has been updated to use them. But be careful while using existing modules from extra addons.
6. Use Active Directory / LDAP:
To secure the system further, it is advisable to use either Active directory / LDAP. There is an already existing module which lets you do this.
7. Include a Robot.txt file:
Include a Robot.txt file at the root of the web client for not letting google to index your login screen.
No comments:
Post a Comment