Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
회계
재고 관리
PoS
프로젝트
MRP

All apps

모든 게시물 사용자 배지

태그 (모두 보기)

CFDI4.0 CartaPorte Multiple-companies email odoo.sh

게시판 정보

SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Security

1 회신

2494 화면

Russ Schneider

Odoo 12 CE, self hosted.

Note: seems to be same issue affecting: https://www\.odoo\.com/forum/help\-1/blocking\-fake\-orders\-spam\-bots\-brute\-force\-attack\-191040

Some\ has\ twice\ now\ has\ bombarded\ our\ Odoo\ installation\ and\ generated\ >\ 100\ fake\ orders\ within\ an\ hour\ as\ "Public\ User"\ $user\ is\ archived\ in\ the\ system,\ not\ active$\.

Sample\ of\ nginx\ access\ log\ $X's\ are\ my\ own$:

45\.227\.254\.6\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- uXdV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- wpYD\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- kGJU\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- bCnV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- UxfA\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- ygQE\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 1\-\- DXmb\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 2720\-\- aPsk\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL\-\- NFmu\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL\-\- cOxo\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL%2CNULL\-\- RKgJ\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"

This has happened twice now. How can I stop the fake orders from being generated? How can I be sure the injections are failing? Odoo is supposed to be secure against them.

Pete Charalampopoulos

In all version of Odoo on ubuntu you can install fail2ban and create a jail with the custom filter.

in the case above do the following (Assuming you have nginx)

1. install fail2ban

2. Create a Fail2ban filter for GET /shop/cart/update
nano /etc/fail2ban/filter.d/nginx-cart-update.conf

In the file add this lines:
[Definition]

failregex = ^<HOST> -.*"(GET|POST) /shop/cart/update.*$

3. Open or create the jail configuration file, e.g., nano /etc/fail2ban/jail.local, and add the following:

[nginx-cart-update]

enabled = true

port = http,https

filter = nginx-cart-update

logpath = /var/log/nginx/access.log # Update this if your access log is located elsewhere

maxretry = 5 # Adjust the threshold as needed

bantime = 3600 # Adjust the ban time as needed

4. Restart fail2ban

sudo systemctl restart fail2ban

Now, Fail2ban will monitor your Nginx logs and ban IPs that attempt multiple "GET /shop/cart/update" requests, which helps mitigate this brute-force attack.

Thank you
- Datalabsystems.com

토론이 재미있으신가요? 직접 참여해보세요!

지금 바로 가입하여 독점 서비스를 이용해보고 특별한 커뮤니티와 소통하세요!

가입

관련 게시물	답글	화면
Need Clarification for "base.user_root" and "base.user_admin" 해결 완료 xml Security	2 9월 24	2623
Odoo Source Code Protection source_code Security	2 3월 24	2511
How do we restrict access to odoo instance to allow only certain devices (certain phones and PCs only) access Security	0 12월 22	3274
Deny access to window action if not group Groups Security	0 10월 21	3112
Access Rights Limitations record_rules Security access rights	2 11월 24	2137

신고된 질문입니다

토론이 재미있으신가요? 직접 참여해보세요!