What's coming in Cloudron 6.3

girish

Before Cloudron 7, we need some more work to make the single server install secure. For this reason, we will spend some time first with the following:

• (Security) - Inform users about new browser/IP logins.
• (Security) - Better email monitoring/visibility for admins. @d19dotca raised many important posts and there's also existing ones. We have to read the posts in more detail and discuss internally before we give more details on what we plan to do here. (moved to next release)
• (Security) - Add a way to secure/limit access to specific apps and dashboard. For example, a set of apps are public and the rest are only accessible via wireguard/openvpn. This combined with mandatory 2FA for dashboard will make good security. (moved to next release)
• Reduce/remove some notifications. It seems a bit noisy.
• Fix email situation for Go apps like Statping, Commento that are having trouble sending mails via our email server.
• Make email setup inside apps optional. This will make it possible to configure specific apps to use some external service for mail delivery directly and the Cloudron package won't touch their mail settings.
• Volumes - make mounting easier by automating fstab/exports entries
• Move TURN server to port 443. (moved to next release)
• As a pre-requisite for Cloudron 7 multi-host feature, we have to move file system data into the database. Much grunt work to be done here.
• Vultr DNS
• Vultr Object Storage

girish

@girish said in What's coming in Cloudron 6.3:

Make email setup inside apps optional. This will make it possible to configure specific apps to use some external service for mail delivery directly and the Cloudron package won't touch their mail settings.

This one is implemented now in the Email view. The app package has to explicitly say whether it supports this feature or not using the optional flag to the sendmail addon.

mdreira

@girish Good job!

Now with Mautic we have to use Amazon SES, but if all these improvements are implemented in the Cloudron mail server, we can forget about Amazon.

imc67

@girish said in What's coming in Cloudron 6.3:

(Security) - Inform users about new browser/IP logins.

I was already thinking for days to express my concerns about security on Cloudron, so happy to see some improvements.

But also I would like to invite @girish and @nebulon to get inspiration from the Wordpress plug-in called Wordfence. Wordfence imho needs to be installed by default in Wordpress and they have excellent security measures and management (also in the free version), here some I would like to see on Cloudron:

• don't inform users about new browser/IP/location logins but the Admin, users usually don't even know what an IP is. In Wordfence there is a setting to inform the Admin (via email and log) about new IP/browser/location of either admins and/or users
• create a separate login log GUI with successful and especially unsuccessful login attempts and also on the "individual log record" the possibility to block the, either misused username or login IP for x-time or forever
• when you notice login attempts of non-existing users, also create the possibility to create a blocking list of non-existing usernames that are commonly misused and block them forever
• extend user setting: https://forum.cloudron.io/post/24708
• IP logging in apps with real IP, in https://forum.cloudron.io/post/24706 it's solved but many other apps like Freescout it's still the docker IP
• GEO blocking of countries: https://forum.cloudron.io/post/19901
• make the login rate limiting configurable: https://docs.cloudron.io/security/#rate-limits
• make the activity log also log every LDAP login (attempt), not only replace the LDAP login log record by the last login attempt

d19dotca

@imc67 I definitely agree, lots of areas for improvements.

I do have one item of your post I wanted to share my two cents on though...

Wordfence imho needs to be installed by default in Wordpress

This is just my personal view so take it with a grain of salt of course, I don't think there's really any right or wrong way to it. My two cents...

I have the belief that we should aim to keep all apps (WordPress included) about as close to default as the developer intended for the app, leaving Cloudron to just handle the default user and mail config for the app, etc. I think it's a bit of a slippery slope to add in all these extras regardless of how important they may be for certain use-cases, because the line needs to be drawn somewhere of course and deciding where that line is isn't particularly clear. In such a case, I'd ere on the side of "keep it as close to default as possible as intended by the developer" to stay free of any tightrope walking so-to-speak. haha.

For WordPress in particular, there's practically hundreds of thousands of plugins available, some of which are "default installs" in my environments where I have a template setup with the ones I use all the time for example, but I would never want to force my defaults on others because what works for me or the plugins I prefer to use may not work or be preferred by other users. Security plugins are one area where there's a ton of them, and there was a similar discussion not too long ago I had regarding a suggestion for including a caching plugin by default too.

And that's kind of the slippery slope I am referring too... what is the criteria for when a "default plugin suggestion" gets approved, and when would one get denied?

I just really want to see apps be as close to default as possible. But of course that's just my two cents. I'm sure many might disagree with me. haha.

I totally agree with the rest of your suggestions though, I would love to see the improvements for additional security in the Cloudron server itself. I completely forgot about the GEO-blocking request for countries, that'd be pretty great to have!

mehdi

@girish said in What's coming in Cloudron 6.3:

As a pre-requisite for Cloudron 7 multi-host feature, we have to move file system data into the database. Much grunt work to be done here.

I am not sure I understand what you mean by that. Could you expand a bit on this please?

imc67

@d19dotca said in What's coming in Cloudron 6.3:

I totally agree with the rest of your suggestions

it wasn’t my intention at all to suggest to add Wordfence by default in the Cloudron package as indeed everyone has to decide themselves. Personally I install it in every Wordpress site I manage.

jdaviescoates

@imc67 said in What's coming in Cloudron 6.3:

Personally I install it in every Wordpress site I manage.

Me too.

ruihildt

Great you're spending time on notifications and email!

I like the idea of a centralized place where you can configure which type of notifications you get(Platform update available/completed, app update available/completed, app error, backup error/completed, etc.), and where(email, dashboard, webhook, etc.).

A bit like Facebook, Twitter have.

d19dotca

@imc67 said in What's coming in Cloudron 6.3:

it wasn’t my intention at all to suggest to add Wordfence by default in the Cloudron package as indeed everyone has to decide themselves. Personally I install it in every Wordpress site I manage.

Oh my bad, sorry I misunderstood the intention there.

girish

@girish said in What's coming in Cloudron 6.3:

Fix email situation for Go apps like Statping, Commento that are having trouble sending mails via our email server.

our patch got merged upstream for this - https://github.com/haraka/Haraka/pull/2940

mdreira

@girish said in What's coming in Cloudron 6.3:

@girish said in What's coming in Cloudron 6.3:

Make email setup inside apps optional. This will make it possible to configure specific apps to use some external service for mail delivery directly and the Cloudron package won't touch their mail settings.

This one is implemented now in the Email view. The app package has to explicitly say whether it supports this feature or not using the optional flag to the sendmail addon.

@girish In 6.2.7 update this should already be implemented, right? I thought I read it in the changelog.

However I have not yet seen this option in the applications.

girish

@mdreira the feature is only in 6.3 (not released) and not 6.2.

mdreira

@girish Thank you. I am looking forward to that day! I need this feature very much.

Do you have any planned date when update 6.3 will be released?

girish

@mdreira It doesn't have a release date yet. But it should be out end of april for sure.

girish

There's an option now for admins to reset user's 2FA:

girish

Mailboxes and lists can be individually set as active/inactive. When inactive, you cannot login to the mailbox and mails will bounce:

robi

@girish said in What's coming in Cloudron 6.3:

There's an option now for admins to reset user's 2FA:

Perhaps change the button to say "Reset 2FA"

d19dotca

Just wanted to check in and see how 6.3 is coming along.

Any ETA by chance? I'm super excited for these email improvements many of us have been requesting, particularly the DNSBL checks; greylisting; blocklist & whitelist auto-updating/DNSWL; email autoexpunge; and not forwarding spam to mailing lists. I know that's a lot, lol.

I know many of them came from me, haha, so if you want to discuss any of them or want clarification on the requests, I'd be happy to help offer guidance or clarification.

girish

@d19dotca Thanks for checking We haven't gotten to the email part yet. I am fixing up the notification issues. Once I do that, I want to look into the wireguard/VPN thing before I get into email. @nebulon is working on the login history and I think that is mostly done. He is also working on the volume mounting (i.e will automatically setup fstab entries).

I don't have an ETA, will have a better idea next week. It's been a bit slow this week. I had my pfeizer vaccine, yay and now the sideeffects are gone, so I can go back to being productive