You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

125 lines
4.1 KiB

9 years ago
7 years ago
  1. .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
  2. :alt: License
  3. ===============================================================
  4. Tracks Authentication Attempts and Prevents Brute-force Attacks
  5. ===============================================================
  6. This module registers each request done by users trying to authenticate into
  7. Odoo. If the authentication fails, a counter is increased for the given remote
  8. IP. After a defined number of attempts, Odoo will ban the remote IP and
  9. ignore new requests.
  10. This module applies security through obscurity
  11. (https://en.wikipedia.org/wiki/Security_through_obscurity),
  12. When a user is banned, the request is now considered as an attack. So, the UI
  13. will **not** indicate to the user that his IP is banned and the regular message
  14. 'Wrong login/password' is displayed.
  15. This module realizes a call to a web API (http://ip-api.com) to try to have
  16. extra information about remote IP.
  17. Known issue / Roadmap
  18. ---------------------
  19. The ID used to identify a remote request is the IP provided in the request
  20. (key 'REMOTE_ADDR').
  21. Depending of server and / or user network configuration, the idenfication
  22. of the user can be wrong, and mainly in the following cases:
  23. * if the Odoo server is behind an Apache / NGinx proxy without redirection,
  24. all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key;
  25. * If some users are behind the same Internet Service Provider, if a user is
  26. banned, all the other users will be banned too;
  27. Configuration
  28. -------------
  29. Once installed, you can change the ir.config_parameter value for the key
  30. 'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
  31. of attempts allowed before the user was banned.
  32. You can also add a ir.config_parameter value for the key
  33. 'auth_brute_force.environ_log' which allows to log also specific request
  34. environment variables.
  35. The format is a comma-delimited list of variable names
  36. example: REMOTE_ADDR,REMOTE_PORT
  37. or you can just use the jocker '*' for log or discover all variables,
  38. most variable names depends of WSGI specification and reverse-proxy configuration.
  39. Usage
  40. -----
  41. Admin user have the possibility to unblock a banned IP.
  42. Logging
  43. -------
  44. This module generates some WARNING logs, in the three following cases:
  45. * Authentication failed from remote '127.0.0.1'. Login tried : 'admin'.
  46. Attempt 1 / 10.
  47. * Authentication failed from remote '127.0.0.1'. The remote has been banned.
  48. Login tried : 'admin'.
  49. * Authentication tried from remote '127.0.0.1'. The request has been ignored
  50. because the remote has been banned after 10 attempts without success. Login
  51. tried : 'admin'.
  52. Screenshot
  53. ----------
  54. **List of Attempts**
  55. .. image:: /auth_brute_force/static/description/screenshot_attempts_list.png
  56. **Detail of a banned IP**
  57. .. image:: /auth_brute_force/static/description/screenshot_custom_ban.png
  58. Usage
  59. =====
  60. * go to ...
  61. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  62. :alt: Try me on Runbot
  63. :target: https://runbot.odoo-community.org/runbot/149/8.0
  64. For further information, please visit:
  65. * https://www.odoo.com/forum/help-1
  66. Bug Tracker
  67. ===========
  68. Bugs are tracked on `GitHub Issues <https://github.com/OCA/web/issues>`_.
  69. In case of trouble, please check there if your issue has already been reported.
  70. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
  71. `here <https://github.com/OCA/web/issues/new?body=module:%20auth_brute_force%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
  72. Credits
  73. =======
  74. Contributors
  75. ------------
  76. * Sylvain LE GAL (https://twitter.com/legalsylvain)
  77. * Sylvain CALADOR (https://akretion.com)
  78. Maintainer
  79. ----------
  80. .. image:: http://odoo-community.org/logo.png
  81. :alt: Odoo Community Association
  82. :target: http://odoo-community.org
  83. This module is maintained by the OCA.
  84. OCA, or the Odoo Community Association, is a nonprofit organization whose
  85. mission is to support the collaborative development of Odoo features and
  86. promote its widespread use.
  87. To contribute to this module, please visit http://odoo-community.org.