Installing SuiteCRM in the Cloud
I am working with several small businesses with business development and automation issues. We evaluated SalesForce.com and some other CRM solutions. For a startup, the question is always a cost-related one. Most small businesses cannot purchase every cloud service they need until they hit at least 20–30 people, and even then, the cost of the service cuts into the growth budget.
We called Sales and found out it will cost at lease $900.00/year per person. The other issue is that even with one salesperson, there is at least one or two other people that need access to the CRM data. The overall cost to start could be $2,700.00. My customer asked me if there were some alternatives. I checked out Godaddy (application) offering, among other openSource offerings. After some evaluation of openSource products currently being developed, we landed on SuiteCRM. I spoke to my friends over at Atlantic.NET for server costing, and they have a $10/month no-contract plan. So we opted for this option. Atlantic.NET also offers managed solutions and compliance managed solutions.
The $10/month server is a starter server. We chose Ubuntu (Bionic Beaver) 18.04 LTS for the most extended support. The Ubuntu 16.04.6 LTS (Xenial Xerus) is also an excellent choice. Both will be supported way into the future. Ubuntu created a long term support Linux option. It makes it a compelling argument for business.
SuiteCRM: “Our feature-rich enterprise-ready alternative to Salesforce provides all the benefits of CRM at substantially lower costs with the freedoms and flexibility of Open Source.”
The compelling argument is that it can grow to a fully supported alternative to SalesForce.
SuiteCRM publishes the following requirements.
Recommended installation pre-requisites
- PHP
- JSON
- XML Parsing
- MB Strings Module
- Writable SugarCRM Configuration File (config.php)
- Writeable Custom Directory
- Writable Modules Sub-Directories and Files
- Writable Upload Directory
- Writable Data Sub-Directories
- Writable Cache Sub-Directories
- PHP Memory Limit (at least 128M)
- ZLIB Compression Module
- ZIP Handling Module
- PCRE Library
- IMAP Module
- cURL Module
- Upload File Size
- Sprite Support
The translation is there is not full documentation of the installation. This will eventually lead to a research project and discovering where it doesn’t work. This article is a shortcut to getting up in a few hours.
It is my opinion that a better way to put requirements is to have a list of commands for RHEL(yum) or DEB (apt). I have a personal preference for using Percona MySQL. I think it is a much faster implementation of MySQL, and the license is free. Be aware that not all free downloadable versions are free for commercial use (aka Oracle Version).
Notice: The 7.11 version says it supports Elastic Search. The smaller node I am using is too small for that. You need two cores and 8GB ram to run that.
Note:
Whenever you are installing a LEMP or LAMP configuration, you will need several user names and passwords.
- Linux Username (initially with password; SSH Key in production, set password to crazy long string)
- MySQL root password ( native mode, must web applications do not support the new password version yet)
- MySQL application username & password (Use current NIST Guidelines)
- Application admin user/password
- Application regular user/password — Sometimes
Linux Preparation
These instructions are not a full hardening guide. Please consult with CIS Benchmarks to harden your system before going into production and subsequently getting hacked. We are going to do a few security steps. Just to prevent problems.
- Install pre-requisite software
- Create a user
- Create a banner message
- Enable local firewall
- Enable local antivirus
- Enable 2FA (Google Auth) access
- Remove all remote access by passwords.
- Configure Apache to run
# Install pre-requisite software# Percona SQL Server (MySQL)sudo wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb
sudo dpkg -i percona-release_latest.$(lsb_release -sc)_all.debsudo apt-get update
# This will prompt you for a root password.
sudo apt-get install percona-server-server-5.7 -y# Apache2
apt -y install apache2# PHP7
apt -y install php php-cgi libapache2-mod-php php-common php-pear php-mbstring php-xml php-imap php-curl php-zip php-json php-mysql php-gd# OS Packages
apt -y curl zip unzip sudo libpam-google-authenticator ufw sysvbanner certbot python-certbot-apache openjdk-8-jdk# Update, Upgrade and remove oldapt update
apt upgrade -y
apt autoremove
At this point, take a moment to restart your server, in case the kernel has changed during the update process.
Create a user for this application:
# Update the Linux SKEL
mkdir /etc/skel/.ssh
touch /etc/skel/.ssh/authorized_keys
mkdir /etc/skel/html# Create a location for this application
mkdir /data
useradd -c 'Suite CRM Application' -m -d /data/suitecrm --uid 3000 - -s /bin/bash suitecrm# Set Crazy Password
SITE_PASS=${SITE_PASS:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-32}";echo)}
printf '%s\n%s\n' "${SITE_PASS?}" "${SITE_PASS?}" | passwd suitecrm
unset SITE_PASS# Put your public key in authorized_keys
cat > ~suitecrm/.ssh/authorized_keys# Set ssh permissions
chmod 700 ~suitecrm/.ssh
chmod 600 ~suitecrm/.ssh/authorized_keysb# Create groups and group access
usermod -a -G suitecrm www-data
chown -R suitecrm:suitecrm /data
Create Basic Banner Message
banner SuiteCRM > /etc/update-motd.d/20-messagecat << EOF > /etc/issue.net
>
> ==============================================================
> === Authorized Used only Contact (xxx) xxx-xxxx for help ====
> ==============================================================
> EOF
My recommendation is always to set a banner message with a phone number. Implementing the machine banner is the first step towards CIS Level 1 hardening
Enable local firewall
UFW is standard on Ubuntu
sudo ufw allow proto tcp from any to any port 80,443Port 22 is enabled by default. The best method is to enable a few ports and IPs in as practicable.
Install AntiVirus
It is a lengthy process. Sophos and ClamAV are excellent choices for free AV.
See sophos instructions for installationEnable 2FA (Google Auth) access
https://www.linkedin.com/post/edit/6606348453519900672/
You need to have an authenticator app on your phone or tablet: Google Authenticator, LastPass Authenticator, Okta Verify, OneLogin, or others.
Fast Method:
# As root (answer yes to all questions)
google-authenticator# As suitecrm (or your user account) answer yes to all
su - suitecrm
Now configure Linux for use:
Add Group group to limit SSH access to:
groupadd -g 2000 ssh_login
usermod -a -G ssh_login root
usermod -a -G ssh_login suitecrm-- Plus any other user that will need to login.
File: /etc/ssh/sshd_config
Patch file to apply: patch -v sshd_config < sshd_patch
--- sshd_config 2019-12-25 22:45:41.226235267 +0000
+++ _sshd_config 2019-12-25 22:43:47.317481104 +0000
@@ -53,12 +53,12 @@
#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
#PermitEmptyPasswords no# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication yes# Kerberos options
#KerberosAuthentication no
@@ -106,7 +106,11 @@
#VersionAddendum none# no default banner path
-#Banner none
+Banner /etc/issue.net
+AllowGroups ssh_login
+
+# Turn on 2FA Authentication
+AuthenticationMethods publickey,keyboard-interactive# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
If you are unfamiliar with a patch, copy the above text into a file named sshd_patch and then run the command. Careful regarding smart cut and paste
File: /etc/pam.d/ssh
Patch file to apply: patch -v sshd < sshd_pam_patch
--- sshd 2019-12-25 22:55:08.989319574 +0000
+++ sshd_new 2019-12-25 22:55:03.193291733 +0000
@@ -1,7 +1,7 @@
# PAM configuration for the Secure Shell service# Standard Un*x authentication.
-@include common-auth
+#@include common-auth# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
@@ -53,3 +53,7 @@# Standard Un*x password updating.
@include common-password
+
+# Enable google authenticator
+auth required pam_google_authenticator.so nullok
+
Reference:
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=httpd&f=1Database Installation
Creating a database is relatively straightforward. The exception is when your installation sets the mysql.sock somewhere the server can’t see or when the password is the new and more secure method, and the application doesn’t support it.
mysql -u root -p [ Use your root password when prompted ]
mysql> create database suitecrm_db;
mysql> CREATE USER 'suitecrm'@'localhost' IDENTIFIED BY 'user_password';
mysql> GRANT ALL PRIVILEGES ON suitecrm_db.* TO 'suitecrm'@'localhost';
mysql> flush privileges;Apache Installation
Get an SSL Certificate (free) but legitimate
systemctl stop apache2
certbot certonly --standalone -d www.yourdomain.comThere are lots of how-to guides about setting this up to (auto-update)
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.yourdomain.com/privkey.pem
Your cert will expire on 2020-03-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"Create a virtual host file
FILE: /etc/apache2/sites-available/001-suitecrm.conf
We set up a port 80 with a redirect to 443
# HTTP Redirect
<VirtualHost www.yourdomain.com:80>
ServerName www.yourdomain.com
ServerAlias www.yourdomain.com
ServerAdmin webmaster@www.yourdomain.com
DocumentRoot /data/suitecrm/html #LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/www.yourdomain.com/error.log
CustomLog ${APACHE_LOG_DIR}/www.yourdomain.com/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.yourdomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
#HTTPS Server
<VirtualHost www.yourdomain.com:443>
ServerName www.yourdomain.com
ServerAlias www.yourdomain.com
ServerAdmin webmaster@localhost
DocumentRoot /data/suitecrm/html #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/www.yourdomain.com/error.log
CustomLog ${APACHE_LOG_DIR}/www.yourdomain.com/access.log combined ServerName www.yourdomain.com
SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf <Directory /data/www.yourdomain.com/html>
Options All -Indexes -ExecCGI +Includes +MultiViews
<IfModule mod_dav.c>
DAV Off
</IfModule>
AllowOverride All
Require all granted </Directory>
</VirtualHost></IfModule>
Activate the site: Make sure to enable the SSL module.
cd /etc/apache2/sites-enabled
ln -s ../sites-available/001-suitecrm.confa2enmod rewrite
a2enmod sslapachectl -t [Make sure you don't have typos]systemctl restart apache2
Put a quick test file into place to verify it all works
cd ~suitecrm/html
cat > index.html
it works
[CTRL][C]# After you verify it works, delete the index.html file.
SuiteCRM installation
Download the ZIP file: SuiteCRM-7.11.10.zip and copy it to your user account.
scp SuiteCRM-7.11.10.zip www.yourdomain.com:~/This file is a zip archive. You can unzip it on your local machine and use SFTP to push it up. Or use a two-step method to get rid of the enclosing directory
# Assuming your zip file is in ~suitecrm
# Remove the HTML directory first, be caureful
cd ~/suitecrm
rm -rf html
unzip SuiteCRM-7.11.10.zip
mv SuiteCRM-7.11.10 html
chmod -R 775 htmlGo to your web server *www.yourdomain
Some final housekeeping issues.
Add the cron job
# m h dom mon dow command
* * * * * cd /data/suitecrm/html; php -f cron.php > /dev/null 2>&1Modify PHP.ini
vi /etc/php/7.2/apache2/php.inichange:
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 2Mto; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 10M
Configure your email server:
https://www.yourdomain.com/index.php?module=EmailMan&action=config
At this point, the installation is complete. We spent some extra time to put a little security in place. If you would like to enable SSO for your small business. JumpCloud provides SAML/SSO for ten users for free.
The SSO configuration with SAML2 did not work as expected. I have opened an issue with SuiteCRM. Once, I have additional information. I will update this article.
References: