|
|
|
@ -1,22 +1,25 @@ |
|
|
|
.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg |
|
|
|
:alt: License |
|
|
|
|
|
|
|
============================================== |
|
|
|
Authentication Tracking and Prevent Brut Force |
|
|
|
============================================== |
|
|
|
======================================================= |
|
|
|
Authentication Tracking and Prevent Brute-force Attacks |
|
|
|
======================================================= |
|
|
|
|
|
|
|
This module register each request done by users trying to authenticate into |
|
|
|
This module registers each request done by users trying to authenticate into |
|
|
|
Odoo. If the authentication fails, a counter is increased for the given remote |
|
|
|
IP. After 10 attempts (or other quantity, depending on an ir.config_parameter), |
|
|
|
Odoo will ban the remote IP and ignore new requests. |
|
|
|
|
|
|
|
Admin user have the possibility to unblock a banned IP. |
|
|
|
IP. After after a defined number of attempts, Odoo will ban the remote IP and |
|
|
|
ignore new requests. |
|
|
|
This module applies [security through obscurity] |
|
|
|
(https://en.wikipedia.org/wiki/Security_through_obscurity): |
|
|
|
When a user is banned, the request is now considered as an attack. So, the UI |
|
|
|
will **not** indicate to the user that his IP is banned and the regular message |
|
|
|
'Wrong login/password' is displayed. |
|
|
|
|
|
|
|
This module realizes a call to a web API (http://ip-api.com) to try to have |
|
|
|
extra informations about remote IP. |
|
|
|
|
|
|
|
Note and Warning |
|
|
|
---------------- |
|
|
|
Known issue / Roadmap |
|
|
|
--------------------- |
|
|
|
The ID used to identify a remote request is the IP provided in the request |
|
|
|
(key 'REMOTE_ADDR'). |
|
|
|
Depending of server and / or user network configuration, the idenfication |
|
|
|
@ -27,6 +30,18 @@ of the user can be wrong, and mainly in the following cases: |
|
|
|
* If some users are behind the same Internet Service Provider, if a user is |
|
|
|
banned, all the other users will be banned to; |
|
|
|
|
|
|
|
Configuration |
|
|
|
------------- |
|
|
|
|
|
|
|
Once installed, you can change the ir.config_parameter value for the key |
|
|
|
'auth_brute_force.max_attempt_qty' (10 by default) that define the max number |
|
|
|
of attempts allowed before the user was banned. |
|
|
|
|
|
|
|
Usage |
|
|
|
----- |
|
|
|
|
|
|
|
Admin user have the possibility to unblock a banned IP. |
|
|
|
|
|
|
|
Logging |
|
|
|
------- |
|
|
|
|
|
|
|
@ -47,11 +62,11 @@ Screenshot |
|
|
|
|
|
|
|
**List of Attempts** |
|
|
|
|
|
|
|
.. image:: /auth_brut_force/static/description/screenshot_attempts_list.png |
|
|
|
.. image:: /auth_brute_force/static/description/screenshot_attempts_list.png |
|
|
|
|
|
|
|
**Detail of a banned IP** |
|
|
|
|
|
|
|
.. image:: /auth_brut_force/static/description/screenshot_custom_ban.png |
|
|
|
.. image:: /auth_brute_force/static/description/screenshot_custom_ban.png |
|
|
|
|
|
|
|
|
|
|
|
Usage |
|
|
|
@ -73,7 +88,7 @@ Bug Tracker |
|
|
|
Bugs are tracked on `GitHub Issues <https://github.com/OCA/web/issues>`_. |
|
|
|
In case of trouble, please check there if your issue has already been reported. |
|
|
|
If you spotted it first, help us smashing it by providing a detailed and welcomed feedback |
|
|
|
`here <https://github.com/OCA/web/issues/new?body=module:%20auth_brut_force%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. |
|
|
|
`here <https://github.com/OCA/web/issues/new?body=module:%20auth_brute_force%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. |
|
|
|
|
|
|
|
Credits |
|
|
|
======= |
|
|
|
|
Sylvain LE GAL
9 years ago