Odoo security with Fail2ban

Odoo security with Fail2ban is the result of my collaboration with Cyril Jacquier to the Fail2ban project. Through my implementations and throughout the life-cycle of an Odoo system, I have been confronted like so many system administrators with login attacks. Since Odoo is an online web-based ERP, nothing is easier than injecting POST requests and try to penetrate the system by brute-forcing the Login Interface.

As a result, I turned to Fail2Ban in order to parse the logs and ban from the NAT of the Odoo server the nasty IPs that kept sucking out bandwisth and CPU and compromising our client’s systems integrity.

As you may know, Odoo security with Fail2ban needs two entries to work:

  • A rule added inside its jail.local (copy of jail.conf)
  • A specific filter containing the logical expression that will trigger the action

Here is the  JAIL entry:

[odoo-server]
enabled = true
port    = http,https
filter  = odoo-server
logpath = /var/log/odoo/odoo-server.log
findtime = 6000    ; 1 day
bantime = 604800   ; 1 week
maxretry = 10

Here is the filter:

/etc/fail2ban/filter.d/odoo-server.conf

# Odoo bruteforce login banning rule
[Definition]
failregex = 974 INFO odoo werkzeug: <HOST> - -.* *.POST /web/login HTTP/1.1" 200 -
ignoreregex =

Be aware that the above would only work when logging the Odoo access within the Werkzeug log. Should you use any reverse proxy logic with Apache or Nginx, then you will need to adapt this to the log pattern entry.