Securing Odoo logins with fail2ban
Skilled
Security is an important part of your (Odoo) deployments. As with most online applications these days most of them are constantly being targetted by hackers. The same applies for Odoo logins. The possibility that somebody tries to bruteforce/guess himself into your Odoo instance is there. Thanks to a third party application named fail2ban we can secure our Odoo from this though. Fail2ban keeps track of login attempts and can automatically block login attempts based on the amount of attempts within a timeframe.
In this tutorial you will learn how to setup fail2ban in combination with Odoo. We'll setup a configuration that automatically blocks login attempts for 15 minutes when the login failed more than 5 times within 1 minute.
The first step is to install the third party package fail2ban. Login to your server and install the package from the command line:
sudo apt install fail2ban
Fail2ban has a default configuration file that contains the basic config. Copy this file so we can create our own configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now open this file in your editor so we can modify it:
sudo nano /etc/fail2ban/jail.local
Go to the end of the file. We should add our own configuration here. Add this example code to the jail.local and I'll explain it afterwards:
[odoo-login]enabled = trueport = http,httpsbantime = 900 ; 15 min banmaxretry = 5 ; if 5 attemptsfindtime = 7260 ; within 1 minlogpath = /var/log/odoo/odoo-server.log
So what exactly does this mean? Let us go over it line by line.
Now that we have a configuration saying when the IP should be banned we need to tell fail2ban the condition that it should look for. Create a new file named 'odoo-login.local' with nano:
sudo nano /etc/fail2ban/filter.d/odoo-login.local
In this new file we need to give a definition so that fail2ban knows what to look for in the Odoo logfile. Add the following code to your file:
[Definition]failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from ignoreregex =
This failregex is basically a regular expression that matches the exact output that Odoo adds in its logfile if a login has failed. Now save the file and close it.
That's it! You've already did all the configuration that you need. Now restart the fail2ban service so that our new configuration is loaded and applied to fail2ban:
sudo fail2ban-client restart
You can now test your fail2ban configuration by quickly trying to login with an invalid password for atleast 6 times. If you try to login after you've passed the configured maxretry you won't be able to login for the next 15 minutes. Not even with a valid login.
Securing your Odoo deployments again brute force attacks is literally a few minutes of work thanks to fail2ban. You should try to do this on any Odoo you have. These days security is a vital part of managing your online servers. Configuring fail2ban in combination with Odoo is fast and easy so be sure to do it on all your deployments.