SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Kế toán
Tồn kho
PoS
Project
MRP

All apps

Tất cả bài viết Người Huy hiệu

Thẻ (Xem tất cả)

CFDI4.0 CartaPorte Multiple-companies odoo.sh Group

Về diễn đàn này

SECURITY: How to stop brute force attack creating > 100 fake orders and trying sql injection?

Security

1 Trả lời

1780 Lượt xem

Russ Schneider

Odoo 12 CE, self hosted.

Note: seems to be same issue affecting: https://www\.odoo\.com/forum/help\-1/blocking\-fake\-orders\-spam\-bots\-brute\-force\-attack\-191040

Some\ has\ twice\ now\ has\ bombarded\ our\ Odoo\ installation\ and\ generated\ >\ 100\ fake\ orders\ within\ an\ hour\ as\ "Public\ User"\ $user\ is\ archived\ in\ the\ system,\ not\ active$\.

Sample\ of\ nginx\ access\ log\ $X's\ are\ my\ own$:

45\.227\.254\.6\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- uXdV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:19\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- wpYD\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- kGJU\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- bCnV\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:20\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- UxfA\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL\-\- ygQE\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 1\-\- DXmb\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:21\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 ORDER BY 2720\-\- aPsk\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL\-\- NFmu\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL\-\- cOxo\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"
4\.0\.202\.2\ \-\ \-\ \[27/Jan/2022:01:42:22\ \-0500\]\ "GET\ /shop/cart/update\?category=XXXX\&csrf_token=XXXXXXXXXXXXXXXXXXXXXXXXX0c66a3f0e3d651o1638288418\&product_id=XXXX\&product_template_id=XXXX%27%29 UNION ALL SELECT NULL%2CNULL%2CNULL\-\- RKgJ\ HTTP/1\.1"\ 405\ 178\ "\-"\ "Mozilla/5\.0\ $Windows;\ U;\ Windows\ NT\ 5\.2;\ de\-DE$\ AppleWebKit/532\.0\ $KHTML,\ like\ Gecko$\ Chrome/\ Safari/532\.0"

This has happened twice now. How can I stop the fake orders from being generated? How can I be sure the injections are failing? Odoo is supposed to be secure against them.

Pete Charalampopoulos

In all version of Odoo on ubuntu you can install fail2ban and create a jail with the custom filter.

in the case above do the following (Assuming you have nginx)

1. install fail2ban

2. Create a Fail2ban filter for GET /shop/cart/update
nano /etc/fail2ban/filter.d/nginx-cart-update.conf

In the file add this lines:
[Definition]

failregex = ^<HOST> -.*"(GET|POST) /shop/cart/update.*$

3. Open or create the jail configuration file, e.g., nano /etc/fail2ban/jail.local, and add the following:

[nginx-cart-update]

enabled = true

port = http,https

filter = nginx-cart-update

logpath = /var/log/nginx/access.log # Update this if your access log is located elsewhere

maxretry = 5 # Adjust the threshold as needed

bantime = 3600 # Adjust the ban time as needed

4. Restart fail2ban

sudo systemctl restart fail2ban

Now, Fail2ban will monitor your Nginx logs and ban IPs that attempt multiple "GET /shop/cart/update" requests, which helps mitigate this brute-force attack.

Thank you
- Datalabsystems.com

Bạn có hứng thú với cuộc thảo luận không? Đừng chỉ đọc, hãy tham gia nhé!

Tạo tài khoản ngay hôm nay để tận hưởng các tính năng độc đáo và tham gia cộng đồng tuyệt vời của chúng tôi!

Đăng ký

Bài viết liên quan	Trả lời	Lượt xem
Need Clarification for "base.user_root" and "base.user_admin" Đã xử lý xml Security	2 thg 9 24	1639
Odoo Source Code Protection source_code Security	2 thg 3 24	2511
How do we restrict access to odoo instance to allow only certain devices (certain phones and PCs only) access Security	0 thg 12 22	2569
Deny access to window action if not group Groups Security	0 thg 10 21	2354
Access Rights Limitations record_rules Security access rights	2 thg 11 24	1323

Câu hỏi này đã bị gắn cờ

Bạn có hứng thú với cuộc thảo luận không? Đừng chỉ đọc, hãy tham gia nhé!