OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1580 Commits
13 Branches
0 Tags
45 MiB
Tree: 24369d8ab1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '24369d8ab1'
${ noResults }
server-tools/auth_brute_force/README.rst

120 lines
4.1 KiB
Raw Normal View History

[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[IMP] module name
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
Minor corrections in README
8 years ago
[REF] description;
9 years ago
[FIX] description;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[FIX] typo
9 years ago
Minor corrections in README
8 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] remove useless field 'name' and fix description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[IMP] add the possibility to log also request environment variables
7 years ago
[FIX] Typo
7 years ago
[IMP] add a jocker '*' for discover or log all request environment variables
7 years ago
[IMP] add the possibility to log also request environment variables
7 years ago
[IMP] add a jocker '*' for discover or log all request environment variables
7 years ago
[IMP] README.rst
7 years ago
[IMP] add a jocker '*' for discover or log all request environment variables
7 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[REF] description;
9 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
[IMP] add the possibility to log also request environment variables
7 years ago
[ADD] new module 'auth_track_and_prevent_brut_force' ;
9 years ago
  1. .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
  2. :alt: License
  4. ===============================================================
  5. Tracks Authentication Attempts and Prevents Brute-force Attacks
  6. ===============================================================
  8. This module registers each request done by users trying to authenticate into
  9. Odoo. If the authentication fails, a counter is increased for the given remote
  10. IP. After a defined number of attempts, Odoo will ban the remote IP and
  11. ignore new requests.
  12. This module applies security through obscurity
  13. (https://en.wikipedia.org/wiki/Security_through_obscurity),
  14. When a user is banned, the request is now considered as an attack. So, the UI
  15. will **not** indicate to the user that his IP is banned and the regular message
  16. 'Wrong login/password' is displayed.
  18. This module realizes a call to a web API (http://ip-api.com) to try to have
  19. extra information about remote IP.
  21. Known issue / Roadmap
  22. ---------------------
  23. The ID used to identify a remote request is the IP provided in the request
  24. (key 'REMOTE_ADDR').
  25. Depending of server and / or user network configuration, the idenfication
  26. of the user can be wrong, and mainly in the following cases:
  28. * if the Odoo server is behind an Apache / NGinx proxy without redirection,
  29. all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key;
  30. * If some users are behind the same Internet Service Provider, if a user is
  31. banned, all the other users will be banned too;
  33. Configuration
  34. -------------
  36. Once installed, you can change the ir.config_parameter value for the key
  37. 'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
  38. of attempts allowed before the user was banned.
  40. You can also add a ir.config_parameter value for the key
  41. 'auth_brute_force.environ_log' which allows to log also specific request
  42. environment variables.
  44. The format is a comma-delimited list of variable names
  45. example: REMOTE_ADDR,REMOTE_PORT
  47. or you can just use the jocker '*' for log or discover all variables,
  48. most variable names depends of WSGI specification and reverse-proxy configuration.
  50. Usage
  51. -----
  53. Admin user have the possibility to unblock a banned IP.
  55. Logging
  56. -------
  58. This module generates some WARNING logs, in the three following cases:
  60. * Authentication failed from remote '127.0.0.1'. Login tried : 'admin'.
  61. Attempt 1 / 10.
  63. * Authentication failed from remote '127.0.0.1'. The remote has been banned.
  64. Login tried : 'admin'.
  66. * Authentication tried from remote '127.0.0.1'. The request has been ignored
  67. because the remote has been banned after 10 attempts without success. Login
  68. tried : 'admin'.
  70. Screenshot
  71. ----------
  73. **List of Attempts**
  75. .. image:: /auth_brute_force/static/description/screenshot_attempts_list.png
  77. **Detail of a banned IP**
  79. .. image:: /auth_brute_force/static/description/screenshot_custom_ban.png
  82. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  83. :alt: Try me on Runbot
  84. :target: https://runbot.odoo-community.org/runbot/149/8.0
  86. For further information, please visit:
  88. * https://www.odoo.com/forum/help-1
  90. Bug Tracker
  91. ===========
  93. Bugs are tracked on `GitHub Issues <https://github.com/OCA/web/issues>`_.
  94. In case of trouble, please check there if your issue has already been reported.
  95. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
  96. `here <https://github.com/OCA/web/issues/new?body=module:%20auth_brute_force%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
  98. Credits
  99. =======
  101. Contributors
  102. ------------
  104. * Sylvain LE GAL (https://twitter.com/legalsylvain)
  105. * Sylvain CALADOR (https://akretion.com)
  107. Maintainer
  108. ----------
  110. .. image:: http://odoo-community.org/logo.png
  111. :alt: Odoo Community Association
  112. :target: http://odoo-community.org
  114. This module is maintained by the OCA.
  116. OCA, or the Odoo Community Association, is a nonprofit organization whose
  117. mission is to support the collaborative development of Odoo features and
  118. promote its widespread use.
  120. To contribute to this module, please visit http://odoo-community.org.