Securing Odoo logins with fail2ban
Security is an important part of your (Odoo) deployments. As with most online applications these days most of them are constantly being targetted by hackers. The same applies for Odoo logins. The possibility that somebody tries to bruteforce/guess himself into your Odoo instance is there. Thanks to a third party application named fail2ban we can secure our Odoo from this though. Fail2ban keeps track of login attempts and can automatically block login attempts based on the amount of attempts within a timeframe.
In this tutorial you will learn how to setup fail2ban in combination with Odoo. We’ll setup a configuration that automatically blocks login attempts for 15 minutes when the login failed more than 5 times within 1 minute.
2. Installing fail2ban and copying the config file
The first step is to install the third party package fail2ban. Login to your server and install the package from the command line:
sudo apt install fail2ban
Fail2ban has a default configuration file that contains the basic config. Copy this file so we can create our own configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now open this file in your editor so we can modify it:
sudo nano /etc/fail2ban/jail.local
Go to the end of the file. We should add our own configuration here. Add this example code to the jail.local and I’ll explain it afterwards:
[900 ; 15 min banmaxretry = 5 ; if 5 attemptsfindtime = 7260 ; within 1 minlogpath = /var/log/odoo/odoo-server.log]enabled = trueport = http,httpsbantime =
So what exactly does this mean? Let us go over it line by line.
- enabled: means that this configuration rule will be active.
- port: means that the rule will apply on both http and https connections.
- bantime: will tell Odoo/fail2ban how long to prevent login attempts from that IP. This time is in seconds.
- maxretry: the amount of failed attempts before this rule blocks the IP.
- findtime: time in seconds in which the retries are counted. The number 7260 is to offset the difference between the Odoo logfiles (in UTC) and the fail2ban time (local time).
- logpath: the location to the logfile of your Odoo instance.
Now save your file and close it.
3. Adding a fail2ban definition
Now that we have a configuration saying when the IP should be banned we need to tell fail2ban the condition that it should look for. Create a new file named ‘odoo-login.local’ with nano:
sudo nano /etc/fail2ban/filter.d/odoo-login.local
In this new file we need to give a definition so that fail2ban knows what to look for in the Odoo logfile. Add the following code to your file:
[for db:\S+ login:\S+ from ignoreregex =]failregex = ^ \d+ INFO \S+ \S+ Login failed
This failregex is basically a regular expression that matches the exact output that Odoo adds in its logfile if a login has failed. Now save the file and close it.
4. Restarting fail2ban
That’s it! You’ve already did all the configuration that you need. Now restart the fail2ban service so that our new configuration is loaded and applied to fail2ban:
sudo fail2ban-client restart
You can now test your fail2ban configuration by quickly trying to login with an invalid password for atleast 6 times. If you try to login after you’ve passed the configured maxretry you won’t be able to login for the next 15 minutes. Not even with a valid login.
Securing your Odoo deployments again brute force attacks is literally a few minutes of work thanks to fail2ban. You should try to do this on any Odoo you have. These days security is a vital part of managing your online servers. Configuring fail2ban in combination with Odoo is fast and easy so be sure to do it on all your deployments.