Help

4

Fail2ban not detecting failing logins from Odoo 11 log

Hi there,

Recently Odoo has made a commit to improve the way failing logins are handled. Thanks to this commit it should be possible to configure and use fail2ban security very easily in V11. This fix was introduced at https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29 
No matter what I try the Fail2ban does not seem to detect the logfile changes and does not invoke the auto ban functionalities. This is how I've configured fail2ban:

1. Install fail2ban:

sudo apt-get install fail2ban

2. Copy the default fail2ban file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Add in the file:

[odoo-login]
    enabled = true
    port = http,https
    bantime = 900  ; 15 min ban
    maxretry = 4  ; if 4 attempts
    findtime = 600  ; within 10 min
    logpath = /var/log/odoo11/odoo11-server.log

4. Create a custom filter.d record:

nano /etc/fail2ban/filter.d/odoo-login.local

5. Add in the following content:

[Definition]
    failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>
    ignoreregex =

6. Reload fail2ban:

sudo fail2ban-client reload


However when I now make multiple failing logins within a minute nothing is being logged in /var/log/fail2ban.log.
The Odoo log contains new lines that show the failing logins and I do see the configuration is loaded and applied for fail2ban:

2018-05-29 09:08:18,601 fail2ban.actions        [1048]: INFO    Set banTime = 900
2018-05-29 09:08:18,605 fail2ban.filter         [1048]: INFO    Set maxRetry = 4
2018-05-29 09:08:18,605 fail2ban.filter         [1048]: INFO    Set jail log file encoding to UTF-8
2018-05-29 09:08:18,613 fail2ban.filter         [1048]: INFO    Added logfile = /var/log/odoo11/odoo11-server.log
2018-05-29 09:08:18,617 fail2ban.filter         [1048]: INFO    Set findtime = 600
2018-05-29 09:08:18,636 fail2ban.jail           [1048]: INFO    Jail 'sshd' started
2018-05-29 09:08:18,655 fail2ban.jail           [1048]: INFO    Jail 'odoo-login' started
Does anybody have any idea what I am missing or what might be wrong?

Regards,
Yenthe


Avatar
Discard
23 Answers
1
Best Answer

Hi all,

There are already two answers but I was not able to pinpoint the issue with both. Here are the steps to configure fail2ban with Odoo:

1. Install fail2ban:

sudo apt-get install fail2ban

2. Copy the default jail.conf file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3. Edit the copied file:
sudo nano /etc/fail2ban/jail.local

4. Add the following code at the end of the file and then save it:

[odoo-login]
enabled = true
port = http,https
bantime = 90000  ; 15 min ban
maxretry = 5  ; if 5 attempts
findtime = 7260  ; within 1 min - by default fail2ban is in local time so 1h diff
logpath = /var/log/odoo/odoo-server.log ; be sure it matches with your logfile location
5. Create an odoo-login local file:
/etc/fail2ban/filter.d/odoo-login.local

6. Add in the following definition in the file:

[Definition]
failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>
ignoreregex =
7. Restart the fail2ban client:
sudo fail2ban-client restart

If you would now make more than 5 invalid login attempts you'll see a notice with a "BAN" in the logfile of the fail2ban log. See /var/log/fail2ban.log

Regards,
Yenthe

Avatar
Discard
0
Avatar
Roberto Barreiro
Best Answer

In my case, seems that fail2ban option logtimezone = UTC doesn't works. I'm at GMT+2, and setting findtime = 10800 (3 hours) at odoo jail, solves the issue.

Avatar
Discard
0
Avatar
Ryanto The
Best Answer

Telling fail2ban that odoo log is in UTC is better than adding time difference to bantime and/or findtime. I use the following conf in jail.local file. (Tested on Odoo v11 and Fail2ban v0.10.2)

[odoo-login]
enabled = true
port = http,https
bantime = 15m ; this syntax only works on fail2ban v0.10, else use number in seconds
maxretry = 5 ; if 5 attempts
findtime = 1m ; within 1 min
logpath = /var/log/odoo/odoo-server.log ; be sure it matches with your logfile location
logtimezone = UTC ; tell fail2ban that odoo log time is in UTC
Avatar
Discard
0
Avatar
Lewi S. Kristianto
Best Answer

experiencing this also, in environment centos 7, but found out that checking regex in https://regexr.com/ worked, 

seem fail2ban not recognize \S+
# fail2ban-regex  -v "/var/log/messages" "/etc/fail2ban/filter.d/odoo-login.conf"
-> not working

need to modify /etc/fail2ban/filter/odoo-login.conf:
[Definition]
#string log -> Oct  7 14:07:38 support journal: Odoo Server 12.0:HR:INFO:odoo.addons.base.models.res_users:Login failed for db:HR login:123 from x.x.x.x
#failregex = ^ \d+ INFO \S+ \S+Login failed for db:\S+ login:\S+ from <HOST>
failregex :Login failed for db:\S+ login:\S+ from <HOST>$
ignoreregex =

file /etc/fail2ban/jail.d/odoo-login.conf
[odoo-login]
enabled = true
filter = odoo-login
action = iptables-multiport-tcp[name=odoo-login, port="80,443", protocol=tcp]
                mail-whois-lines[name=odoo-login, dest=root, sender=fail2ban]
logpath = /var/log/messages
findtime = 7200
bantime = 7200
maxretry = 10

in /etc/odoo12.conf, require to add:
syslog = True

Avatar
Discard
0
Avatar
Mag. Wolfgang Taferner
Best Answer

Possible pitfalls for fail2ban and Odoo.

  • log file is too big

  • regex does not match

Test your regex and logfile with the command underneath and you should get back the proper results

fail2ban-regex -v "your_logfile" "/etc/fail2ban/filter.d/odoo.conf"

Avatar
Discard
0
Best Answer

The regex expression does not match. Try the following with a regex tester:

INFO \S+ \S+ Login failed for db:\S+ login:\S+
17 Comments
Avatar
Discard
Avatar
Ermin Trevisan
-

In my Odoo log I do not have "from <host>" at the end of the line.

Did you test on an 11.0 with the commit from https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29 though? It has only been introduced 13 days ago

Avatar
Ermin Trevisan
-

I did test with the latest nightly build (deb).

Avatar
Ermin Trevisan
-

...from today, I meant.

Hmm, odd :-/ I do see it logged in the Odoo log, fail2ban just doesn't seem to detect it.

Avatar
Ermin Trevisan
-

Sorry for the noise, now I see it also, after a -u all, finally.

Avatar
Ermin Trevisan
-

Did you try this: https://fail2ban.readthedocs.io/en/latest/filters.html#developing-testing-a-regex ?

I will try to set up the same this evening when I'll have figured out how to do it with a remote proxy server.

Hey Ermin - did you get around to this? I did two more attempts in the evenings but I still haven't figured out my mistake :-)

Up untill now I was not able to get it working sadly.

Avatar
Bill Ennals
-

Hi Yenthe. I thought I would comment that I tried setting this up according to the instructions from the github link you posted and it seems to work fine. I'm not a coder or sysadmin really so I'm not sure I can help, but if you can think of any info that might help, ask away.

Avatar
Bill Ennals
-

...also, I tried the regex test as suggested by Mag. Wolfgang Taferner above and got plenty of hits. Have you tried that?

I did try the regex from Wolfgang but that didn't work either. So with the message from Olivier Dony (https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29) you where able to configure it? Did you see a difference with your deployment and my steps?

Avatar
Bill Ennals
-

Yes, that's right. In the Odoo section of my jail.local file I have a line pointing to the filter (odoo-server.conf in my case) to use - "filter = odoo-server" - which I don't see in your step 3. above, though that wouldn't explain why the fail2ban-regex test is failing.

Here is a line from my odoo-server log that get's picked up by the fail2ban-regex test:

2019-01-19 03:21:34,708 1618 INFO test odoo.addons.base.res.res_users: Login failed for db:test login:a;sldfkj from 123.175.237.239

...and here is the filter that detects the failed login in the fail2ban-regex test in my installation.

# fail2ban filter configuration for odoo (on nginx)

[Definition]

failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>

ignoreregex =

Avatar
Bill Ennals
-

...perhaps if you use those two things and the fail2ban-regex test doesn't register a hit, there is something awry with your fail2ban install?

Thanks Bill - guess I have to setup a new test environment and test your ideas :)

Avatar
Bill Ennals
-

ok, good luck. FYI I used your script (actually the latest big update version from Chris001) to install 11 CE on an AWS t2-micro server with Ubuntu 16.04 and Nginx as reverse proxy.