Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Księgowość
Zapasy
PoS
Projekt
MRP

All apps

Wszystkie posty Osoby Odznaki

Tagi (Zobacz wszystko)

CFDI4.0 CartaPorte Multiple-companies email odoo.sh

O tym forum

SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Security

1 Odpowiedz

2489 Widoki

Russ Schneider

Odoo 12 CE, self hosted.

Note: seems to be same issue affecting: https://www\.odoo\.com/forum/help\-1/blocking\-fake\-orders\-spam\-bots\-brute\-force\-attack\-191040

Some\ has\ twice\ now\ has\ bombarded\ our\ Odoo\ installation\ and\ generated\ >\ 100\ fake\ orders\ within\ an\ hour\ as\ "Public\ User"\ $user\ is\ archived\ in\ the\ system,\ not\ active$\.

Sample\ of\ nginx\ access\ log\ $X's\ are\ my\ own$:

45\.227\.254\.6\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- uXdV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- wpYD\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- kGJU\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- bCnV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- UxfA\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- ygQE\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 1\-\- DXmb\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 2720\-\- aPsk\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL\-\- NFmu\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL\-\- cOxo\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL%2CNULL\-\- RKgJ\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"

This has happened twice now. How can I stop the fake orders from being generated? How can I be sure the injections are failing? Odoo is supposed to be secure against them.

Pete Charalampopoulos

In all version of Odoo on ubuntu you can install fail2ban and create a jail with the custom filter.

in the case above do the following (Assuming you have nginx)

1. install fail2ban

2. Create a Fail2ban filter for GET /shop/cart/update
nano /etc/fail2ban/filter.d/nginx-cart-update.conf

In the file add this lines:
[Definition]

failregex = ^<HOST> -.*"(GET|POST) /shop/cart/update.*$

3. Open or create the jail configuration file, e.g., nano /etc/fail2ban/jail.local, and add the following:

[nginx-cart-update]

enabled = true

port = http,https

filter = nginx-cart-update

logpath = /var/log/nginx/access.log # Update this if your access log is located elsewhere

maxretry = 5 # Adjust the threshold as needed

bantime = 3600 # Adjust the ban time as needed

4. Restart fail2ban

sudo systemctl restart fail2ban

Now, Fail2ban will monitor your Nginx logs and ban IPs that attempt multiple "GET /shop/cart/update" requests, which helps mitigate this brute-force attack.

Thank you
- Datalabsystems.com

Podoba Ci się ta dyskusja? Dołącz do niej!

Stwórz konto dzisiaj, aby cieszyć się ekskluzywnymi funkcjami i wchodzić w interakcje z naszą wspaniałą społecznością!

Zarejestruj się

Powiązane posty	Odpowiedzi	Widoki
Need Clarification for "base.user_root" and "base.user_admin" Rozwiązane xml Security	2 wrz 24	2620
Odoo Source Code Protection source_code Security	2 mar 24	2511
How do we restrict access to odoo instance to allow only certain devices (certain phones and PCs only) access Security	0 gru 22	3274
Deny access to window action if not group Groups Security	0 paź 21	3108
Access Rights Limitations record_rules Security access rights	2 lis 24	2137

To pytanie dostało ostrzeżenie

Podoba Ci się ta dyskusja? Dołącz do niej!