Fail2ban not detecting failing logins from Odoo 11 log

Hi there,

Recently Odoo has made a commit to improve the way failing logins are handled. Thanks to this commit it should be possible to configure and use fail2ban security very easily in V11. This fix was introduced at https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29
No matter what I try the Fail2ban does not seem to detect the logfile changes and does not invoke the auto ban functionalities. This is how I've configured fail2ban:

1. Install fail2ban:

sudo apt-get install fail2ban

2. Copy the default fail2ban file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Add in the file:

[odoo-login]
    enabled = true
    port = http,https
    bantime = 900  ; 15 min ban
    maxretry = 4  ; if 4 attempts
    findtime = 600  ; within 10 min
    logpath = /var/log/odoo11/odoo11-server.log

4. Create a custom filter.d record:

nano /etc/fail2ban/filter.d/odoo-login.local

5. Add in the following content:

[Definition]
    failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>
    ignoreregex =

6. Reload fail2ban:

sudo fail2ban-client reload

However when I now make multiple failing logins within a minute nothing is being logged in /var/log/fail2ban.log.
The Odoo log contains new lines that show the failing logins and I do see the configuration is loaded and applied for fail2ban:

2018-05-29 09:08:18,601 fail2ban.actions        [1048]: INFO    Set banTime = 900
2018-05-29 09:08:18,605 fail2ban.filter         [1048]: INFO    Set maxRetry = 4
2018-05-29 09:08:18,605 fail2ban.filter         [1048]: INFO    Set jail log file encoding to UTF-8
2018-05-29 09:08:18,613 fail2ban.filter         [1048]: INFO    Added logfile = /var/log/odoo11/odoo11-server.log
2018-05-29 09:08:18,617 fail2ban.filter         [1048]: INFO    Set findtime = 600
2018-05-29 09:08:18,636 fail2ban.jail           [1048]: INFO    Jail 'sshd' started
2018-05-29 09:08:18,655 fail2ban.jail           [1048]: INFO    Jail 'odoo-login' started

Does anybody have any idea what I am missing or what might be wrong?

Regards,
Yenthe

Autor Najlepsza odpowiedź

Hi all,

There are already two answers but I was not able to pinpoint the issue with both. Here are the steps to configure fail2ban with Odoo:

1. Install fail2ban:

sudo apt-get install fail2ban

2. Copy the default jail.conf file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Edit the copied file:

sudo nano /etc/fail2ban/jail.local

4. Add the following code at the end of the file and then save it:

[odoo-login]
enabled = true
port = http,https
bantime = 90000  ; 15 min ban
maxretry = 5  ; if 5 attempts
findtime = 7260  ; within 1 min - by default fail2ban is in local time so 1h diff
logpath = /var/log/odoo/odoo-server.log ; be sure it matches with your logfile location

5. Create an odoo-login local file:

/etc/fail2ban/filter.d/odoo-login.local

6. Add in the following definition in the file:

[Definition]
failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>
ignoreregex =

7. Restart the fail2ban client:

sudo fail2ban-client restart

If you would now make more than 5 invalid login attempts you'll see a notice with a "BAN" in the logfile of the fail2ban log. See /var/log/fail2ban.log

Regards,
Yenthe

Nils

Hey Folks,

is there any reliable work-around for this? I am facing the same issue and tried several approaches already.

My regex file is manyually tested with the logfile and its working fine, matching the login attemps. For some reason, its not handed over to f2b properly and its not taking notice of the bad login attempt.

I am testing on V14 CE with f2b 0.11.1... f2b is working well with the standard jails (ssh for example), the IP of the logging user is handed over correctly and not translated to the localhost by nginx. This is what the Odoo-log is presenting. Same with system-log.

Would be great to hear if there is any progress.

Andreas Perhab

As an update to this answer, these days i discovered another Log line was added a few versions ago that we added to our fail2ban config: https://github.com/odoo/odoo/blob/17.0/addons/auth_signup/controllers/main.py#L88

_logger.info(
    "Password reset attempt for  by user  from %s",
    login, request.env.user.login, request.httprequest.remote_addr)

we now have the following fail2ban filter:

failregex = ^.*Login failed for db:[^ ]* login:[^ ]* from .*$
            ^.*Password reset attempt for \S+ by user \S+ from .*$

Lewi S. Kristianto

experiencing this also, in environment centos 7, but found out that checking regex in https://regexr.com/ worked,

seem fail2ban not recognize \S+
# fail2ban-regex -v "/var/log/messages" "/etc/fail2ban/filter.d/odoo-login.conf"
-> not working

need to modify /etc/fail2ban/filter/odoo-login.conf:
[Definition]
#string log -> Oct 7 14:07:38 support journal: Odoo Server 12.0:HR:INFO:odoo.addons.base.models.res_users:Login failed for db:HR login:123 from x.x.x.x
#failregex = ^ \d+ INFO \S+ \S+Login failed for db:\S+ login:\S+ from <HOST>
failregex :Login failed for db:\S+ login:\S+ from <HOST>$
ignoreregex =

file /etc/fail2ban/jail.d/odoo-login.conf
[odoo-login]
enabled = true
filter = odoo-login
action = iptables-multiport-tcp[name=odoo-login, port="80,443", protocol=tcp]
mail-whois-lines[name=odoo-login, dest=root, sender=fail2ban]
logpath = /var/log/messages
findtime = 7200
bantime = 7200
maxretry = 10

in /etc/odoo12.conf, require to add:
syslog = True

Mag. Wolfgang Taferner

Possible pitfalls for fail2ban and Odoo.

log file is too big
regex does not match

Test your regex and logfile with the command underneath and you should get back the proper results

fail2ban-regex -v "your_logfile" "/etc/fail2ban/filter.d/odoo.conf"

Ryanto The

Telling fail2ban that odoo log is in UTC is better than adding time difference to bantime and/or findtime. I use the following conf in jail.local file. (Tested on Odoo v11 and Fail2ban v0.10.2)

[odoo-login]
enabled = true
port = http,https
bantime = 15m ; this syntax only works on fail2ban v0.10, else use number in seconds
maxretry = 5 ; if 5 attempts
findtime = 1m ; within 1 min
logpath = /var/log/odoo/odoo-server.log ; be sure it matches with your logfile location
logtimezone = UTC ; tell fail2ban that odoo log time is in UTC

The regex expression does not match. Try the following with a regex tester:

INFO \S+ \S+ Login failed for db:\S+ login:\S+

Actually it does match (see https://pythex.org/?regex=%5Cd%2B INFO %5CS%2B %5CS%2B Login failed for db%3A%5CS%2B login%3A%5CS%2B from &test_string=2018-05-29 08%3A36%3A21%2C970 1439 INFO test odoo.addons.base.res.res_users%3A Login failed for db%3Atest login%3Ademo from 127.0.0.1&ignorecase=0&multiline=0&dotall=0&verbose=0)

Autor

and you need <HOST> for fail2ban which I assume is parsed to the actual IP from the person trying to login?

In my Odoo log I do not have "from <host>" at the end of the line.

Autor

Did you test on an 11.0 with the commit from https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29 though? It has only been introduced 13 days ago

I did test with the latest nightly build (deb).

...from today, I meant.

Autor

Hmm, odd :-/ I do see it logged in the Odoo log, fail2ban just doesn't seem to detect it.

Sorry for the noise, now I see it also, after a -u all, finally.

Did you try this: https://fail2ban.readthedocs.io/en/latest/filters.html#developing-testing-a-regex ?

I will try to set up the same this evening when I'll have figured out how to do it with a remote proxy server.

Autor

Hey Ermin - did you get around to this? I did two more attempts in the evenings but I still haven't figured out my mistake :-)

Autor

Up untill now I was not able to get it working sadly.

Hi Yenthe. I thought I would comment that I tried setting this up according to the instructions from the github link you posted and it seems to work fine. I'm not a coder or sysadmin really so I'm not sure I can help, but if you can think of any info that might help, ask away.

...also, I tried the regex test as suggested by Mag. Wolfgang Taferner above and got plenty of hits. Have you tried that?

Autor

I did try the regex from Wolfgang but that didn't work either. So with the message from Olivier Dony (https://github.com/odoo/odoo/commit/86ffb549bf80b054f8bb5131c52d3e7757accb29) you where able to configure it? Did you see a difference with your deployment and my steps?

Yes, that's right. In the Odoo section of my jail.local file I have a line pointing to the filter (odoo-server.conf in my case) to use - "filter = odoo-server" - which I don't see in your step 3. above, though that wouldn't explain why the fail2ban-regex test is failing.

Here is a line from my odoo-server log that get's picked up by the fail2ban-regex test:

2019-01-19 03:21:34,708 1618 INFO test odoo.addons.base.res.res_users: Login failed for db:test login:a;sldfkj from 123.175.237.239

...and here is the filter that detects the failed login in the fail2ban-regex test in my installation.

# fail2ban filter configuration for odoo (on nginx)

[Definition]

failregex = ^ \d+ INFO \S+ \S+ Login failed for db:\S+ login:\S+ from <HOST>

ignoreregex =

...perhaps if you use those two things and the fail2ban-regex test doesn't register a hit, there is something awry with your fail2ban install?

Autor

Thanks Bill - guess I have to setup a new test environment and test your ideas :)