Cloudron Forum

@macone see https://docs.cloudron.io/email/#firewall

@MisterJD see https://forum.cloudron.io/post/40906 and https://www.simplified.guide/ssh/auto-block-failed-attempts

@justjulian said in Make iptables changes persistent: How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest? I don't have the design for this (yet). It's quite a big project, so I will leave my notes in the main 7.4 release thread as we implement them.

@girish wait ... true [image: 1654545805187-6a136902-e13f-47d9-b8be-68193a8688b4-image.png]

@girish So I disabled the port forward rule in my router and it resolved the issue. Thank you!

@alexdimarco said in Does cloudron block bogon networks?: One of the wifi networks (I do not have control over) uses bogon IP space for addressing. When connected to this network I cannot access any Cloudron servers. Do they block bogon? If so, how can I white list a network - in specific 100.64.0.0/10? Cloudron blocks nothing by default.

@girish & @mehdi - thanks for your advice! It gave me the idea to Tailscale. I installed it on the Cloudron server and was able to successfully mount a shared folder from my Synology using cifs. However, even though the data persists between reboots, I don't see the data on the Synology, even when I'm logged in as the root user. I'm not quite the linux expert, but I noticed that when I changed Nextcloud's appdata folder to point to the mount, it created it as a "root" user. On the Synology, I created a Cloudron user that has the necessary permissions and I mounted the shared folder with the Cloudron user, password, and domain. So, I'm thinking this has something to do with user IDs not matching up or something like that. I'm nervous about moving forward since I can't actually see the data on my Synology. Would you or anyone else have any advice? By the way, this is how I mounted it: sudo mount -t cifs -o credentials=/etc/nas-credentials,vers=3.0 //nas/Cloudron /mnt/nas In fstab, the command is: //nas/Cloudron cifs -o credentials=/etc/nas-credentials,vers=3.0,_netdev,auto 0 0 Thanks for all your help!

@potemkin_ai thanks for reporting. It seems nfs-common depends on rpcbind which starts the service at port 111. rpcbind is only needed for NFSv3 . I have disabled rpcbind in the next release (8.0.1) . Cloudron only supports NFSv4 out of the box.

@imc67 essentially the patch for this is https://git.cloudron.io/cloudron/box/-/commit/eb0662b2455e0687ab3ce5dd02d2466e16670092 so two files need to be adjusted. The .ejs file is a template which will result in /etc/nginx/applications/my.<domain.com>.conf so besides the editing the .ejs file additionally edit that file and then systemctl restart nginx and systemctl restart box.

@wind-gmbh FWIW, we don't use the upstream distro packages. We use the packages straight from nginx.org since they provide better security fixes - https://nginx.org/packages/ubuntu/pool/nginx/n/nginx/ . Looks like https://nginx.org/packages/ubuntu/pool/nginx/n/ is the pre-built modules they have.

@reachableceo thanks for the update!

@jodumont I recently posted about crowdsec under feature requests. I think crowdsec is more appropriate, afaik, for cloudron

@girish Awesome. Thank you for the help!

hey @nebulon, no, only 2-3 ports tcp/udp (wireguard/snmp/ssh) and it happened inbetween again, without any reboots/upgrades/etc. I got notfied by network mgmgt system, that my cloudron server is down - luckily it was just the firewall…

@fbartels I do believe you.

@nebulon Fantastic, thank you!

@girish said in Restrict Dashboard Access - Cloudron v6.1.2: @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet. I didn't test the solution yet, found it with people referring as a working one, so I have hopes. The idea is to modify /etc/ufw/after.rules to contain: # BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :ufw-docker-logging-deny - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " -A ufw-docker-logging-deny -j DROP COMMIT # END UFW AND DOCKER Why not just enable 2FA on the dashboard? It's a different security layer. 2FA relies on the code, which is much more complicated, as opposed to network level filtering. What is more complicated could have more issues. So, whenever possible, I close any code from outside access - everything have bugs, some of them are in security space, even if you are OpenBSD Do you believe this could become part of the system? I would really like to deny from all with allow from xxx.xxx.xxx.xxx with periodic firewall disable for let's encrypt.

Tha @d19dotca said in Why does cloudron block ports?: @cumpal Cloudron expects to be the only one running on the server, so for security reasons it locks it down unless needed by Cloudron or any of the apps on it. If you need to modify it, I think you can just update the firewall rules manually in Ubuntu, though I've not done that part myself as no need for it yet. but hopefully that at least explains why it's locked down. You may want to review the Cloudron docs on security features too. @girish said in Why does cloudron block ports?: In addition to what @d19dotca said, you can whitelist extra ports using https://docs.cloudron.io/networking/#whitelist-ports . Please use this at your own risk, we don't recommend installing other software alongside cloudron . Thanks for these replies! I got them working.

There is an allow list file, but you have to access it from ssh. It should be in the docs.