Skip to content

Instructions

Odoo is an open source ERP & CRM server. Manage all aspects of your business with Odoo, including Website, Ecommerce, Inventory managment, POS, etc.

SSH Into the server:

  • Utilize Google SSH Console or setup ssh keys or password.

Login to Odoo:

  • https://ip-of-server
  • Accept the auto-generated self signed cert, you can add your own certs in /etc/apache2/sites-available/apache.conf later.
  • Odoo is secure and allows the user to set the master password , DB Name & User login at first access.
  • You can choose to use the randomly generated password or use your own.
  • To change the randomly generated password, simply refresh the page and will generate a new one.
  • Please fill in all the fields that it is asking: ( Make sure to save your password info. )
Master Password: ( Make your own , or refresh to regenerate a new one. )
Database Name: odoo
Email: ( Your Email )
Password: ( Your Password )
Phone Number: ( Optional - Your Phone Number )
Language: ( Your Language )
Country: ( Your Country )
* Select Create Database

  • Please be patient , it takes a few minutes to initialize your chosen settings.
  • Once complete it will redirect you to a login page:
https://IP-OF-Server/web/login
Email: ( Your Email)
Password: ( Your Password)
  • Once Logged in , you will be taken to the apps page, select which ones to activate.
  • Please be patient, after clicking activate , take a few minutes to install .

Settings:

  • Email Signature: Dashboard > Top Right Icon > Preferences > Can customize Email Signature > Save
  • Time Zone: Dashboard > Top Right Icon > Preferences > 1st - Set time zone from Linux Terminal:
timedatectl list-timezones
# Ex:
timedatectl list-timezones | grep New_York
sudo timedatectl set-timezone America/New_York
# From Odoo UI
Dashboard > Top Right Icon > Preferences > Select Timezone > EX: (America/New_York) > Save 
  • MFA: Dashboard > Top Right Icon > Preferences > Account Security > Toggle 2FA

View Modsec logs:

  • Test Modsec:
# From the Odoo server:
sudo tail -f /var/log/modsec_audit.log
# Then run from you host system terminal:
curl -I "http://IP-OF-SERVER/index.html?test=<script>alert(1)</script>"
  • Modescurity is currently in Detect Mode Only, If you want to actively block, then make these changes:
sudo vim /etc/apache2/mods-enabled/security2.conf
    SecRuleEngine On
    # SecRuleEngine DetectionOnly 

sudo systemctl daemon-reload
sudo systemctl restart apache2

Security Features:

  • Auditd - https://decyphertek.readthedocs.io/en/latest/technotes/Auditd/
  • Crowdsec - https://decyphertek.readthedocs.io/en/latest/technotes/Crowdsec/
  • UFW - https://decyphertek.readthedocs.io/en/latest/technotes/UFW/
  • Apache - https://httpd.apache.org/docs/
  • Modsecurity - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)
  • Automated Updates - Crontab runs at reboot and at 3am every morning.

References:

  • https://www.odoo.com/documentation/17.0/