SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Accounting
Inventory
PoS
Project management
MRP

Take the tour

All Posts People Badges

Tags (View all)

CFDI4.0 CartaPorte Multiple-companies odoo.sh Group

About this forum

SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Security

1 Reply

632 Views

Russ Schneider

Odoo 12 CE, self hosted.

Note: seems to be same issue affecting: https://www\.odoo\.com/forum/help\-1/blocking\-fake\-orders\-spam\-bots\-brute\-force\-attack\-191040

Some\ has\ twice\ now\ has\ bombarded\ our\ Odoo\ installation\ and\ generated\ >\ 100\ fake\ orders\ within\ an\ hour\ as\ "Public\ User"\ $user\ is\ archived\ in\ the\ system,\ not\ active$\.

Sample\ of\ nginx\ access\ log\ $X's\ are\ my\ own$:

45\.227\.254\.6\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- uXdV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- wpYD\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- kGJU\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- bCnV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- UxfA\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- ygQE\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 1\-\- DXmb\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 2720\-\- aPsk\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL\-\- NFmu\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL\-\- cOxo\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL%2CNULL\-\- RKgJ\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"

This has happened twice now. How can I stop the fake orders from being generated? How can I be sure the injections are failing? Odoo is supposed to be secure against them.

Pete Charalampopoulos

In all version of Odoo on ubuntu you can install fail2ban and create a jail with the custom filter.

in the case above do the following (Assuming you have nginx)

1. install fail2ban

2. Create a Fail2ban filter for GET /shop/cart/update
nano /etc/fail2ban/filter.d/nginx-cart-update.conf

In the file add this lines:
[Definition]

failregex = ^<HOST> -.*"(GET|POST) /shop/cart/update.*$

3. Open or create the jail configuration file, e.g., nano /etc/fail2ban/jail.local, and add the following:

[nginx-cart-update]

enabled = true

port = http,https

filter = nginx-cart-update

logpath = /var/log/nginx/access.log # Update this if your access log is located elsewhere

maxretry = 5 # Adjust the threshold as needed

bantime = 3600 # Adjust the ban time as needed

4. Restart fail2ban

sudo systemctl restart fail2ban

Now, Fail2ban will monitor your Nginx logs and ban IPs that attempt multiple "GET /shop/cart/update" requests, which helps mitigate this brute-force attack.

Thank you
- Datalabsystems.com

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Related Posts	Replies	Views
Need Clarification for "base.user_root" and "base.user_admin" Solved xml Security	2 Sep 24	239
Odoo Source Code Protection source_code Security	2 Mar 24	2511
How do we restrict access to odoo instance to allow only certain devices (certain phones and PCs only) access Security	0 Dec 22	1592
Deny access to window action if not group Groups Security	0 Oct 21	1241
Access Rights Limitations record_rules Security access rights	2 Nov 24	69

This question has been flagged

Enjoying the discussion? Don't just read, join in!