SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

Müşteri İlişkileri Yönetimi
e-Commerce
Muhasebe
Envanter
PoS
Project
MRP

All apps

All Posts People Badges

Etiketler (View all)

CFDI4.0 CartaPorte Multiple-companies odoo.sh Group

About this forum

SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Security

1 Cevapla

1801 Görünümler

Russ Schneider

Odoo 12 CE, self hosted.

Note: seems to be same issue affecting: https://www\.odoo\.com/forum/help\-1/blocking\-fake\-orders\-spam\-bots\-brute\-force\-attack\-191040

Some\ has\ twice\ now\ has\ bombarded\ our\ Odoo\ installation\ and\ generated\ >\ 100\ fake\ orders\ within\ an\ hour\ as\ "Public\ User"\ $user\ is\ archived\ in\ the\ system,\ not\ active$\.

Sample\ of\ nginx\ access\ log\ $X's\ are\ my\ own$:

45\.227\.254\.6\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- uXdV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- wpYD\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- kGJU\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- bCnV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- UxfA\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- ygQE\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 1\-\- DXmb\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 2720\-\- aPsk\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL\-\- NFmu\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL\-\- cOxo\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL%2CNULL\-\- RKgJ\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"

This has happened twice now. How can I stop the fake orders from being generated? How can I be sure the injections are failing? Odoo is supposed to be secure against them.

Pete Charalampopoulos

In all version of Odoo on ubuntu you can install fail2ban and create a jail with the custom filter.

in the case above do the following (Assuming you have nginx)

1. install fail2ban

2. Create a Fail2ban filter for GET /shop/cart/update
nano /etc/fail2ban/filter.d/nginx-cart-update.conf

In the file add this lines:
[Definition]

failregex = ^<HOST> -.*"(GET|POST) /shop/cart/update.*$

3. Open or create the jail configuration file, e.g., nano /etc/fail2ban/jail.local, and add the following:

[nginx-cart-update]

enabled = true

port = http,https

filter = nginx-cart-update

logpath = /var/log/nginx/access.log # Update this if your access log is located elsewhere

maxretry = 5 # Adjust the threshold as needed

bantime = 3600 # Adjust the ban time as needed

4. Restart fail2ban

sudo systemctl restart fail2ban

Now, Fail2ban will monitor your Nginx logs and ban IPs that attempt multiple "GET /shop/cart/update" requests, which helps mitigate this brute-force attack.

Thank you
- Datalabsystems.com

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Üye Ol

İlgili Gönderiler	Cevaplar	Görünümler
Need Clarification for "base.user_root" and "base.user_admin" Çözüldü xml Security	2 Eyl 24	1652
Odoo Source Code Protection source_code Security	2 Mar 24	2511
How do we restrict access to odoo instance to allow only certain devices (certain phones and PCs only) access Security	0 Ara 22	2586
Deny access to window action if not group Groups Security	0 Eki 21	2375
Access Rights Limitations record_rules Security access rights	2 Kas 24	1337

Bu soru işaretlendi

Enjoying the discussion? Don't just read, join in!