odo
Security importance in odoo
deployment odoo

The prime goal of cyber security is to decrease the risk of cyber assaults and to defend against unauthorized use of networks, systems and technology.

When we talk about cyber security , its big field and many things are possible , attackers do a lot of tricks to exploit system and vulnerability present should be identified and fixed, there are some steps we use so make our server and odoo secure.

Ensuring the principle of least privilege is followed. This includes both physical access (to data centers, server rooms, etc.) and electronic access to systems and data. suppose there is role in system sales man, so he can do what he is expected to do like quotation and sale order print etc, but he should not do purchase work or extra configuration.

  1. use port other 22 for ssh
  2. use protocol ssh2
  3. disable direct root login
  4. use public key instead of password
  5. enable two factor authentication on web application 
  6. use strong password for authentication of login web app
  7. disable empty password
  8. restrict ssh to specific ip/device
  9. set ssh idle timout 


Idle Timeout: The idle timeout specifies the maximum time a client can remain idle (without sending any data) within an established SSH session. If there is no activity within this time-frame, the server will close the connection.

These timeout configurations help prevent idle connections from unnecessarily occupying server resources and protect against potential security risks, such as unauthorized access to an idle session. However, it's essential to strike a balance between enforcing appropriate timeouts and accommodating legitimate use cases, as overly aggressive timeout settings may disrupt legitimate user sessions

Key Pair SSH authentication 

SSH key pair authentication is critically important for secure and efficient access to remote servers. It offers several key benefits that significantly enhance security compared to traditional password-based authentication, like Reduced Risk of Credential Theft, resistance to Brute-Force Attacks,Prevention of Credential Reuse.

Protect your private key with a strong passphrase

Avoid sharing private keys or passphrase.

Keep your private key secure and back it up in a safe location.

Disable password-based authentication on the server for enhanced security.

Note: if you want give someone access to your server, then don't share your key instead take their public key and put it into your server, they will connect by their private key.


SSL :

SSL stands for Secure Sockets Layer, and it's a cryptographic protocol used to establish a secure and encrypted connection between a client (such as a web browser) and a server (such as a website). The primary purpose of SSL is to ensure that data transmitted between the client and the server remains private, secure, and protected from eavesdropping, tampering, or unauthorized access.


use certbox for free installation guide, follow the steps

https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal

Cloudflare

https://www.cloudflare.com

its important, with cloudflare you can't only apply ssl, but also you can make it as a proxy so your actual IP will be hide.

Bastion server/jumping server

its also important to only allow bastion server to communicate to your actual server so its make better security.

DNS security :

First layer security is dns security... It is critical as many hackers use vulnerabilities in the dns system to help them gain unauthorized access

DNS security components include firewalls and access control lists and keep your data safe from unauthorized access and hackers by controlling who can get in and what they can do when they are inside.

Firewall: 


Ensure a properly configured firewall is in place to block unauthorized access and only allow necessary traffic to your servers.

Linux operating systems, including popular distributions like Ubuntu, CentOS, and Debian, often come with built-in firewall management tools. One such tool is iptables, which is a powerful and flexible firewall management utility that is available on many Linux distributions. With iptables, you can configure rules to control incoming and outgoing network traffic, thereby enhancing the security of your Linux server.


Open Ports 80,443, custom ssh port, close all other ports.



Ransomware attack

Ransomware is a malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.

Note: Backup and Recovery: Regularly back up your data and ensure that you can restore these backups in case of data loss or a ransomware attack.



Honeypot

 is a specially designed piece of software that mimics another system, normally with vulnerable services that aren’t really vulnerable, in order to attract the attention of an attacker as they’re sneaking through your network.