Cloudron Forum

Cloudron uses iptables on the system to open required ports. Those ports depend on the apps which are installed.
The full script, which configures iptables can be found at https://git.cloudron.io/platform/box/-/blob/master/setup/start/cloudron-firewall.sh?ref_type=heads

For the blocked IPs, we use ipset together with thecloudron_blocklist https://git.cloudron.io/platform/box/-/blob/master/src/scripts/setblocklist.sh?ref_type=heads

I was about to write a long time ago that the parameter for resetting SSH has changed:

sudo systemctl restart ssh.socket

All my searches lead to dead ends. Like https://serverfault.com/questions/643616/best-way-to-trace-outgoing-requests-from-a-server and https://www.reddit.com/r/sysadmin/comments/384q3b/my_server_was_just_suspended_because_of_a/ .

@sp121 do you have a cloud firewall ? One recommendation is to stop all outbound traffic altogether. Most apps don't need to make outbound requests anyway. Slowly start whitelisting outbound traffic. Is this an option?

@cocam123 Cloudron does not support installing external software as such. With that warning, https://docs.cloudron.io/networking/#whitelist-ports will help you expose the port. Cloudron has it's own firewall written on top of iptables and does not use ufw.

We haven't added a way to add custom persistent iptables rules . For SSH though, just move it port 202 and disable root auth and password auth. This usually cuts down all bots to 0.

@thoresson yes. If you have a Cloud firewall, you can also whitelist just your IP for port 222.

@girish ah ok, thanks, will try that!

Yes i adjusted firewall. Added 443 port and now it works

@darsh_parsana

/home/yellowtent/box/setup/start/cloudron-firewall.sh is on the root system, not inside any container.
You can just edit the file directly via ssh.

@tgatellier I had to activate a Cloudflare DNS Proxy to achieve this on one Wordperss instance. Now I'm testing 8G Firewall suggested from @jagan . I think Cloudron should have some feature to achieve this ...

Now, combine this with something like Wireguard or Tailscale and limit access to certain apps (Vaultwarden, Nextcloud, etc.) to users connected to such VPN - that would be the dream

Interesting. So, from @necrevistonnezr's like the hosts.allow/hosts.deny may not work in the future. "Note: this might not be an option on modern distributions, as support for tcpwrappers was removed from OpenSSH 6.7"

Yeah. I know what you mean. Ok I will start afresh 🙂
With this information now it will be ok to configure from scratch.

Many thanks

Jan

@d19dotca said in Blocked IP addresses in Cloudron but still able to access WordPress sites:

I know that this feature was likely originally intended to be a manual update rather than importing a giant list and works well for that, but as threats/spam become more common place, I think we’ll need Cloudron to keep up. Is it possible to prioritize improving this feature soon for us to allow thousands of IP addresses being added?

Fully agree! A strong network filter / block would be another USP

@d19dotca right, the 30d one seems to be 54975 size. I have increased the size of the ipset now to 262144 elements. If these things are growing more, we can look into making this size dynamic .

@bigvictorio At this point, no. But feel free to open feature requests and we can add firewall features as needed.

Yes I think so can confirm it works thank you.
image.png

@macone see https://docs.cloudron.io/email/#firewall

@MisterJD see https://forum.cloudron.io/post/40906 and https://www.simplified.guide/ssh/auto-block-failed-attempts