Skip to main content

General Security

Performance and Security

Securing file permissions

This section describes the best way to secure your filesystem.

  1. Create a new deskpro user on your server.
  2. Change the owner of all files to the deskpro user. For example, on Linux:
chown -R deskpro:deskpro /path/to/deskpro

And make sure to disable write permission on files and directories:

find . -type d -print0 | xargs -0 chmod 755
find . -type f -not -path "*/bin/*" -print0 | xargs -0 chmod 644
  1. The web server still needs to write to a few specific directories, so you need to make them writable:
chmod -R 0777 /path/to/deskpro/attachments /path/to/deskpro/var


If you want to secure permissions even more, you can use groups or ACL’s to make it so only deskpro and your web server user (e.g. www or nobody) can write to these directories, instead of world like we show here.

  1. Next, you need to re-configure scheduled tasks for automatic updates. Since your regular task is now running as a user who cannot modify the filesystem, it means the updater won’t work; it will cause a permission error.

    So you need to create a new task that only performs the update task, and you need to run it as the deskpro user you just created.

    • Edit the scheduled task you already have configured on your server. The command will be for bin/cron. Change it to bin/cron --no-auto-updater
    • Create a NEW schedueld task that runs minutely that is run by your deskpro user. This time, create the task bin/cron --auto-updater

    For example, here’s what a <cite style="box-sizing: border-box;">/etc/crontab</cite> might look like:

* * * * * www-data /opt/deskpro/bin/cron --no-auto-updater
* * * * * deskpro  /opt/deskpro/bin/cron --auto-updater

Server access

Ensure your various services (MySQL, mail, Elasticsearch etc) are not accessible from the internet.

For example:

  • Enable the firewall and only open specific service ports
  • For internally-used servers like MySQL, only allow access from machines that require it.
  • MySQL’s own account management features allow you to specify specific hosts on user accounts. For example, if MySQL is only used locally on the same server as Deskpro, you should create a user 'deskpro'@'localhost'. The localhost host means that user can only be used locally.

Enable IP Whitelisting

Enable IP Whitelisting in Admin > Agents > Settings.


Install intrusion-detection software such as OSSEC (see also this useful guide ).

This class of software helps you monitor files and log files so you can be notified when something changes.

Force global password reset

There may be situatons where you want to force all your users and/or agents to reset their helpdesk passwords. We have made this easy with a single command to be run.

bin/console dp:require-password-reset <opt>

You will replace the <opt> parameter with one of these options to define who you wish to be affected by this change:

  • agents -- agents only
  • admins -- admins only
  • users -- users only
  • all -- every user in the system

The command will block the person from accessing the helpdesk after any login attempt, and trigger a password reset email to their email address. The person will then need to click on a token link within their email address.

If the person cannot access their email, an agent can carry out the password reset for them. When using this method, the person will not be able to use their previous password.

Authors list

First published: 21/03/2017

Last updated: Mar 17, 2020 by Colin Dunn