Security Feature: Cloudron Should Manage TURN Server Ports
-
Since Cloudron already manages "allowed ports" internally, I think that adding TURN server ports to this list is a necessary security feature. Here are the details:
Background:
Several Cloudron users have reported that unwanted (hacking?) attempts are being made to connect to their Cloudron's TURN server despite the fact that no installed apps utilize TURN.
Server resources (256MB RAM + application logs) are being wasted when no app needs an operational TURN server.
Managing this external to the Cloudron server via firewall or proxy leaves the potential for a support issue when a user adds an app that needs TURN, but forgets to update their firewall and enable the ports. (Note: Also, this solution just blocks the connection, but still wastes resources).
Proposal:
Have Cloudron handle TURN server management (resources, ports) internally with the following logic:
(1) If an app requires TURN server access (it should be declared in the app manifest). If that occurs, then the TURN server container should be "brought up" if not already enabled, resources (memory) deployed according to the configuration, and TURN ports permitted in the firewall.
(2) If no apps use TURN, then the server should be disabled, ideally, the container disabled, and TURN ports blocked by the internal Cloudron firewall automatically.
Perhaps a "first step" would be during Cloudron boot, to disable TURN ports (firewall) if no app needed TURN, leaving the container operational as is. This would accomplish the needed security and with no connections being possible, the actual utilization of the RAM should be almost 0.
Everyone, please feel free to add/delete/modify as you see fit!
-
J joseph referenced this topic
-
I think "people" have a fundamental lack of understanding of what constitutes a "hacking attempt".
Open ports are being probed 24/7 on all online systems. That's just background noise, nothing insecure about it. On the contrary, the fact that they see these attempts means security is WORKING JUST FINE.
-
Hello @crazybrad
It might be a good idea to manage all Cloudron Services like that.
If not needed by any app, have the service ready, but stopped.
This would also save resources.
Needs investigation if even possible and if this could have negative side effects with the current Cloudron logic internally. -
@james I like your thinking. This might allow for better hardware utilization on smaller servers. @svtx I get that some TURN queries are legitimate. But I would think that a service utilizing TURN would broadcast this to others so that they can "connect". Since I am not broadcasting, I am not sure why people are probing for TURN connections. I guess I am jaded by the thousands of unauthorized SSH attempts I see on all my servers each day. So my bias has shifted from "trust, but verify" to "distrust and verify when someone complains".
