Odoo comes with a number of security features enabled by default but these are not enough to stop a determined hacker, who can look for vulnerabilities in multiple services.
As a business platform, Odoo is a very valuable hacking target. An attacker can access all data about your company, employees and customers, basically putting you out of business.
This is why it’s extremely important to harden your server; we will describe in this article how to protect it against the most common types of attacks.
Use SSL
The unencrypted http protocol is very dangerous because your data can be intercepted through packet sniffing or man in the middle attacks.
There are several ways to install a SSL certificate and encrypt all traffic. If your server runs cPanel, free certificates can be automatically installed and renewed through AutoSSL.
Buying a certificate is another option, but in this case you’ll have to install it manually by modifying the configuration files of your web server.
Free certificates are also available on servers without cPanel, these are provided by Let’s Encrypt.
In order to install the official client, run the following commands in the terminal (on an Ubuntu server):
|
1 2 3 |
add-apt-repository ppa:certbot/certbot apt-get update apt-get install python-certbot-apache |
You can now use the certbot utility to generate and install a SSL certificate for your domain, you’ll have to specify the web server and domain name (apache and yourdomain.com in this example):
|
1 |
certbot --apache -d yourdomain.com |
The certificate is valid for 90 days but certbot will automatically renew it 30 days in advance.
Close ports and services
Every open port can be exploited by hackers and all services are a potential vulnerability. In order to minimize the risk, make sure that your server only uses the services and ports that you actually need.
Execute the command netstat –tulpn from the command line to check which ports are open, the output should be similar to this one:
Any ports that you don’t need can be blocked in the firewall; this is easily done in Ubuntu with the ufw command. For example, this is the command that closes the SMTP port (25) if you don’t use it:
|
1 |
ufw deny 25/tcp |
Closing unused services is trickier and you should proceed with caution. Only stop a service if you’re sure about its role, otherwise you could damage your server or even make it unresponsive.
To see a list of services in Ubuntu, run this command:
|
1 |
service --status-all |
The services with a + sign are the active ones, if you are certain that one of them is not needed, stop and disable it with the systemctl command:
|
1 2 |
systemctl stop service systemctl disable service |
Secure SSH
The SSH service is one of the most vulnerable to hackers and bots, being under constant brute force attack if the default port (22) is used.
The first step to secure it is to change port 22 to another one, choose a port number between 10000 and 65535 so it doesn’t conflict with other services.
Open the file /etc/ssh/sshd_config in your favorite text editor, look for the line Port 22 and modify it. Make sure that the new port is open in the firewall to avoid being locked out, and then restart the service:
|
1 |
service sshd restart |
For even better security, disable password logins completely and set up SSH keys. Look for the parameter PasswordAuthentication in the sshd_config file, uncomment it if needed and set the value to “no”.
Assuming that you already have a pair of SSH keys, copy your private key and add it to the file ~/.ssh/authorized_keys.
After restarting the sshd service, you will be able to log in without a password.
Use strong passwords
Users are always tempted to choose simple passwords that are easy to type and remember, this is a major vulnerability for your server.
You can use an Odoo module to enforce healthy password security requirements on all your company users.
From the Odoo web interface, go to Settings and click on Activate the developer mode in the right column. You can then click on Apps and install the Base import module if it is not active already.
A new Import Module option will now be available under Apps. Import the free Password Security module from here and then click on Import Module to upload the Zip archive and install it.
You will now be able to enforce password length and strength requirements, an expiration date, as well as prevent the reuse of older passwords, which is another dangerous practice. The new settings will be applied the next time when a user changes his password.
While no server is completely safe from hackers, implementing these steps will greatly increase the security of your Odoo installation and protect your data from the most common attack vectors used today.