Secure Your Odoo Installation

Your Odoo installation is critical to your business. It contains all your company data, including sensitive financial statements and confidential customer information. If you host Odoo 19 on your own server (for example, an Ubuntu 24.04 VPS), it is imperative to follow certain steps to harden your server's security and protect it against attacks.

1. Keep Your System Up to Date

The first line of defense is to regularly update your distribution's repositories and packages.

Run the following command:

sudo apt update && sudo apt upgrade -y

Also make sure to keep your Odoo installation (Community or Enterprise) up to date by regularly pulling the latest sources for your version.

git pull origin 19.0

(Replace 19.0 with your specific version. Perform this operation in both the Odoo Community and Enterprise source folders).

2. Harden Your SSH Configuration

The SSH protocol is used to connect to and administer your Odoo server securely. It is a critical access point: if an attacker compromises it, they can take full control of the system and access your database. Here's how to secure it.

a) Change the Default Port

By default, the SSH service listens on port 22. Changing this port won't discourage a sophisticated targeted attack, but it is an effective measure to avoid bots, automated scanners, and opportunistic attacks.

To do this, edit the SSH configuration file:

sudo vim /etc/ssh/sshd_config

Find the line #Port 22. Uncomment it (remove the #) and replace 22 with your chosen number (for example 1234).

Port 1234

Then restart the SSH service to apply the changes:

sudo systemctl restart ssh

To connect, you will now need to specify the port with the -p option:

ssh -p 1234 ubuntu@IP_DE_VOTRE_SERVEUR

b) Enable SSH Key Authentication

Password authentication exposes you to brute-force attacks (rapid, repeated attempts to guess your password). It is much safer to use cryptographic keys.

On your server, make sure public key authentication is enabled in /etc/ssh/sshd_config. Find the PubkeyAuthentication option and ensure it is set to yes.

PubkeyAuthentication yes

(Note: If the line is commented out, this generally means the option is active by default).

On your local computer (the one used to access the server), generate a new key pair:

ssh-keygen -t ed25519

It is strongly recommended to set a passphrase to protect your private key. This way, even if your key is stolen, it cannot be used without the password.

Once generated, your keys are typically located in the .ssh folder of your user:

• Private key (id_ed25519): Keep it safe and never share it.
• Public key (id_ed25519.pub): This is the one that must be copied to the server.

To copy your public key to the server, use the following command:

ssh-copy-id -i /home/ubuntu/.ssh/id_ed25519.pub ubuntu@IP_DE_VOTRE_SERVEUR

(You will need to enter your user password one last time).

Once this step is complete, you can connect without a server password, using your key. If your key is not detected automatically, specify it with the -i option:

ssh -i /home/ubuntu/.ssh/id_ed25519 -p 1234 ubuntu@IP_DE_VOTRE_SERVEUR

c) Disable Password Authentication

Now that key authentication is working, it is advisable to completely disable password authentication to close this door to attackers.

Edit the SSH configuration file again:

sudo vim /etc/ssh/sshd_config

Modify or add the following lines to set them to no and prohibit-password:

PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password

Restart the SSH service:

sudo systemctl restart ssh

Password authentication is now disabled and key-based access is mandatory.

3. Configure a Firewall

A firewall is an essential security measure for filtering incoming traffic. It prevents the accidental exposure of internal applications to the public network. The goal is to expose only the strictly necessary services.

Install UFW (Uncomplicated Firewall):

sudo apt install ufw

Important: Before enabling the firewall, you must allow your SSH port (the one you configured in step 2a), otherwise you will be locked out of your server.

sudo ufw allow 1234/tcp

(Replace 1234 with your custom SSH port).

Then allow the standard ports for Odoo (typically 80 for web and 443 for secure TLS traffic).

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Once the rules are added, enable the firewall:

sudo ufw enable

You can check the status of your rules at any time with:

sudo ufw status verbose

4. Enable Two-Factor Authentication (2FA) on Odoo

An attacker may also attempt to compromise your ERP through your Odoo user account. While this doesn't grant access to the server itself, the consequences (data leaks, malicious actions) can be devastating depending on your access rights.

It is recommended to enable two-factor authentication (2FA) using an app like Google Authenticator.

1. Log in to your Odoo instance.
2. Click on your profile (top right), then on Preferences.
3. Go to the Security tab and enable 2FA authentication.
4. Scan the displayed QR code with your mobile authenticator app and enter the verification code.

From now on, a 2FA code will be required at each login. Even if your password is stolen, the attacker won't be able to access your account without this second code.

Want more tips to secure your Odoo? Contact us at contact@tadoo.io!