Hi community, I've been using Odoo v8 for a while, and recently when I read the log and found it was under serious attack. I used Cloudflare which I don't know much and just noticed when Cloudflare is turned on, I can't edit my website. I know it is recommened to install Nginx ans SSL certificate. Is that the only solution? Will that affect editing website? What's your suggestion to increase the security of Odoo? Cheers
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
2
Replies
22141
Views
From our vast experience on Odoo implementations so far, we suggest following steps to secure your Odoo.
Set private ssh key for your Odoo server.
Start your Odoo in SSL mode.
Install Nginx in your Ubuntu Server.
Stop access of all unnecessary ports from firewall of your Ubuntu Server.
Set proper data access rights & access rules into your Odoo instance.
Set proper authentication method for your PostgreSQL database user.
Set tricky password for PostgreSQL user.
Apply encryption on Database and Odoo user passwords.
Set Tricky password for Super Admin.
Request all your ERP users to set difficult password.
Give FTP access for your ERP users and don't allow them to create files out of their directory on your Ubuntu Server.
Set proper access rights on your custom addons and default Odoo addons via chmod and chown commands.
Have a look on /var/log/postgresql/postgresql-9.1-main.log file for malware attack on your database.
Manage your Odoo log file properly.
Transfer database & custom addons backup to remote place at frequent amount of time.
Change and set tricky password for detault postgres user in your database server.
Stop xmlrpc if you don't want your ERP to connect from 3rd party systems. ( set xmlrpc=False in your config file )
Remove "Manage Database" link from home page of your live Odoo instance. ( it's suggestion only )
Ignore installation of Odoo where multiple other websites are hosted.
We highly recommend to ignore creation of any kind of demo database in Live Odoo instance.
Ignore to host your Odoo in Web hosting servers, always host Odoo in trusted VPS sites. ( Amazon, Raskspace, DigitalOcen, Myhosting etc..)
Monitor Incoming and outgoing TCP/IP traffics in your Ubuntu Server. Few of our customers for whom we have implemented Odoo for more then 150+ users, they hired their own server administrator to monitor incoming and outgoing TCP/IP traffics. ( Visit this link )
Never give full access of your server to your Odoo service providers, always give them folder access of their own custom addons with their separate user. ( It's advisable to not share root user password to anyone. )
If customer can afford healthy cost, we always suggest them to set up their own in-house hosting server instead of VPS.
You can direct ask any Odoo related problem to us via a tweet. Tweet us to @EmiproTech
Very good list and arguments. I'd like to argue about the fact from an in-house hosting server though. Why would that be better than a VPS that usually has a lot of pre-configgured security measures?
Off course VPS is good choice but for highly secured data and in big projects our customers prefers their own server instead of VPS. Another problem we have observed is some cheapest VPS gets shutdown automatically so Odoo automatic processes gets disturbed..
many thanks for such a good synthesis, voted!
Thanks @August & @Yenthe
I think that this question and answer is eligible to be added to the standard odoo documentation.
The clue is to never go with very cheap VPS'es, they have poor performance and poor uptimes. :) But really a +1 for this great list!
@Yenthe, Please write in a note ( I will sign on that note ) "In near by future Odoo will face 2 mejor issues Server security and Database performance issues & Speed optimization issues." Emipro is very much sincere and we have started our thinking in those direction
Very good security list, just add that SFTP is more secured than FTP and you could find scriptable solutions out there or customize your own based on paramiko like I did with https://github.com/aek/solt_sftp
ok
Hi
Here are some tips on how to increase the security of Odoo:
- Need to Update Odoo: Odoo regularly releases security patches to fix known vulnerabilities. It is important to keep your Odoo instance up to date to reduce the risk of being exploited by attackers.
- Use Unique and Strong passwords: We can use strong, unique passwords for all Odoo accounts, and regularly update our own passwords. You can use a password manager to generate and store strong passwords.
- Use two-factor authentication (2FA): 2FA adds an extra layer of security to your Odoo accounts by requiring you to enter a code from your phone in addition to your password when logging in.
- Restrict access to Odoo: Only grant access to Odoo to users who need it. You can use Odoo's user roles and permissions system to restrict access to specific features and data.
- Monitor your Odoo logs: Regularly review your Odoo logs for suspicious activity. This can help you to identify and respond to security threats early.
- Have a backup plan: In the event of a security breach, it is important to be able to restore your Odoo system from a backup. Make sure to have a regular backup plan in place.
- Use a VPN to connect to Odoo: A VPN encrypts your traffic, making it more difficult for attackers to intercept your data.
- Use a web application firewall (WAF): A WAF can help to protect your Odoo website from common web attacks.
- Implement security awareness training for your employees: Educating your employees about security best practices can help reduce the risk of human error leading to a security breach.
@Emipro your note was right.