Odoo Security Best Practices: Hardening Your Server in 2026
Odoo security best practices 2026 β firewall config, SSH hardening, database encryption, rate limiting, and preventing the most common attack vectors.
Why Odoo servers are targeted
Odoo instances contain valuable business data: customer information, financial records, pricing strategies, and supplier contacts. A compromised Odoo server can lead to data theft, ransomware, or business disruption.
Small and mid-size Odoo deployments are frequent targets because they often run with default configurations, weak passwords, no firewall rules, and unpatched software. Attackers scan the internet for Odoo login pages, attempt credential stuffing with leaked password databases, and exploit known vulnerabilities in outdated Odoo versions.
1. Use strong, unique database passwords
The PostgreSQL database password is in /etc/odoo/odoo.conf in plain text. If an attacker gains read access to this file, they have direct database access.
What to do:
- Generate a random 32-character password: openssl rand -base64 32
- Update db_password in odoo.conf
- Restart Odoo and PostgreSQL
- Never reuse this password anywhere else
Set file permissions:
sudo chmod 600 /etc/odoo/odoo.conf
sudo chown odoo:odoo /etc/odoo/odoo.conf
This ensures only the odoo user can read the config file.
2. Restrict database access to localhost
By default, PostgreSQL listens on all network interfaces. This means anyone who can reach your server on port 5432 can attempt to connect to the database.
Edit /etc/postgresql/*/main/postgresql.conf:
listen_addresses = 'localhost'
Edit /etc/postgresql/*/main/pg_hba.conf and ensure only local connections are allowed:
local all all peer
host all all 127.0.0.1/32 md5
Restart PostgreSQL:
sudo systemctl restart postgresql
Now PostgreSQL only accepts connections from the same server where Odoo runs.
3. Configure a firewall and allow only necessary ports
An open firewall is an invitation. Close all ports except those you explicitly need.
Ports to allow:
- 22 (SSH) β restrict to your office IP if possible
- 80 (HTTP) β for Let's Encrypt renewal
- 443 (HTTPS) β for Odoo web interface
Block everything else:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Advanced: Restrict SSH to specific IPs
If your office has a static IP, allow SSH only from that IP:
sudo ufw delete allow 22/tcp
sudo ufw allow from YOUR_OFFICE_IP to any port 22
This blocks SSH brute-force attacks from the internet.
4. Disable the Odoo database manager
The Odoo database manager (accessible at /web/database/manager) allows anyone to create, drop, duplicate, or restore databases if the master password is weak or default.
In odoo.conf, set:
list_db = False
This disables the database selector and manager interface. Users can only access the database specified in db_name or via db_filter. The database manager becomes unreachable even if someone knows the master password.
5. Keep Odoo and dependencies updated
Security vulnerabilities are discovered regularly in Odoo, Python libraries, and system packages. Unpatched servers are easy targets.
Monthly maintenance checklist:
1. Check Odoo's GitHub releases for security patches
2. Update Odoo to the latest minor version (e.g., 17.0.5 β 17.0.6)
3. Update system packages: sudo apt update && sudo apt upgrade
4. Update Python dependencies: pip install --upgrade -r requirements.txt
5. Restart Odoo after updates: sudo systemctl restart odoo
Subscribe to security announcements:
- Odoo security advisories: https://www.odoo.com/security
- Ubuntu security notices: https://ubuntu.com/security/notices
If a critical CVE is announced, patch immediately β do not wait for the next monthly cycle.
6. Enable HTTPS and use strong SSL certificates
Running Odoo over HTTP transmits passwords, session tokens, and data in plain text. Anyone on the network path can intercept credentials.
Use Let's Encrypt (free, auto-renewing):
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d odoo.yourcompany.com
Certbot automatically configures Nginx to:
- Redirect HTTP β HTTPS
- Use strong cipher suites
- Enable HSTS (HTTP Strict Transport Security)
Test your SSL configuration:
https://www.ssllabs.com/ssltest/
Aim for an A+ rating. If you score lower, adjust cipher suites and enable OCSP stapling.
7. Implement rate limiting for login attempts
Brute-force attacks on /web/login are common. Attackers try thousands of username/password combinations from leaked databases.
Nginx rate limiting:
Add to /etc/nginx/sites-available/odoo:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /web/login {
limit_req zone=login burst=2;
proxy_pass http://127.0.0.1:8069;
}
This allows 5 login attempts per minute per IP, with a burst of 2. Further attempts receive a 503 error.
Reload Nginx:
sudo systemctl reload nginx
Fail2ban (system-wide protection):
sudo apt install fail2ban
Configure a jail for Odoo in /etc/fail2ban/jail.local:
[odoo]
enabled = true
port = http,https
filter = odoo
logpath = /var/log/odoo/odoo-server.log
maxretry = 5
bantime = 3600
This bans IPs that trigger 5 failed login attempts within 10 minutes.
8. Audit user permissions regularly
Employees leave, roles change, and contractors finish projects β but their Odoo accounts often remain active with full access.
Quarterly user audit:
1. Review all active users in Settings β Users & Companies
2. Disable accounts for users who no longer need access
3. Remove "Administrator" rights from users who do not need full system access
4. Verify multi-company access rules are correct
5. Check API keys and deactivate unused ones
Principle of least privilege:
Each user should have the minimum access required to do their job. A warehouse worker does not need accounting module access. A salesperson does not need Settings access.
How ServerChest helps with security
ServerChest includes security-focused features in its monitoring and audit system:
Real-time alerts:
- SSH login attempts from unknown IPs
- Failed Odoo login bursts (potential brute-force)
- Firewall rule changes
- Unauthorized sudo commands
Audit log:
Every action taken via ServerChest (backup, restart, config change) is logged with timestamp, user, and IP. This creates accountability and makes post-incident investigation possible.
Automatic updates:
ServerChest can notify you when Odoo security patches are released, or automatically apply system package updates on a schedule you control.
Backup encryption:
Backups can be encrypted with AES-256 before upload to cloud storage, ensuring that even if someone gains access to your Google Drive or S3 bucket, they cannot read the data.
Automate your Odoo server management today
Connect your Odoo server in 5 minutes. Free to start.
Start free β no credit cardRelated Articles
What to Do When Your Odoo Server Is Hacked
What to do when your Odoo server is hacked β emergency response playbook with containment, forensics, recovery procedures, and preventing future breaches.
Odoo Server Monitoring: Prevent Downtime Before It Happens
Complete guide to Odoo server monitoring β track disk, memory, services, and database performance with real-time alerts that prevent downtime.
Odoo Performance Optimization: Speed Up Your Server
How to optimize Odoo performance in 2026 β worker config, database indexing, Redis caching, and Nginx tuning to cut response times by 70% or more.