Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • 0 Votes
    4 Posts
    557 Views
    luckowL

    @girish wait ... true 🙂
    6a136902-e13f-47d9-b8be-68193a8688b4-image.png

  • Question about my setup

    Solved Support
    8
    0 Votes
    8 Posts
    945 Views
    J

    @girish So I disabled the port forward rule in my router and it resolved the issue. Thank you!

  • Does cloudron block bogon networks?

    Solved Support
    5
    0 Votes
    5 Posts
    589 Views
    micmcM

    @alexdimarco said in Does cloudron block bogon networks?:

    One of the wifi networks (I do not have control over) uses bogon IP space for addressing. When connected to this network I cannot access any Cloudron servers. Do they block bogon? If so, how can I white list a network - in specific 100.64.0.0/10?

    Cloudron blocks nothing by default.

  • 0 Votes
    7 Posts
    1k Views
    ajtatumA

    @girish & @mehdi - thanks for your advice! It gave me the idea to Tailscale. I installed it on the Cloudron server and was able to successfully mount a shared folder from my Synology using cifs. However, even though the data persists between reboots, I don't see the data on the Synology, even when I'm logged in as the root user. I'm not quite the linux expert, but I noticed that when I changed Nextcloud's appdata folder to point to the mount, it created it as a "root" user. On the Synology, I created a Cloudron user that has the necessary permissions and I mounted the shared folder with the Cloudron user, password, and domain. So, I'm thinking this has something to do with user IDs not matching up or something like that.

    I'm nervous about moving forward since I can't actually see the data on my Synology. Would you or anyone else have any advice?

    By the way, this is how I mounted it:
    sudo mount -t cifs -o credentials=/etc/nas-credentials,vers=3.0 //nas/Cloudron /mnt/nas

    In fstab, the command is:
    //nas/Cloudron cifs -o credentials=/etc/nas-credentials,vers=3.0,_netdev,auto 0 0

    Thanks for all your help!

  • Network security issue: Portmapper servers

    Solved Support
    7
    0 Votes
    7 Posts
    807 Views
    girishG

    @potemkin_ai thanks for reporting.

    It seems nfs-common depends on rpcbind which starts the service at port 111. rpcbind is only needed for NFSv3 . I have disabled rpcbind in the next release (8.0.1) . Cloudron only supports NFSv4 out of the box.

  • Cloudron 7.1.2 Firewall not IPv6 ready?

    Support
    8
    0 Votes
    8 Posts
    891 Views
    nebulonN

    @imc67 essentially the patch for this is https://git.cloudron.io/cloudron/box/-/commit/eb0662b2455e0687ab3ce5dd02d2466e16670092 so two files need to be adjusted. The .ejs file is a template which will result in /etc/nginx/applications/my.<domain.com>.conf so besides the editing the .ejs file additionally edit that file and then systemctl restart nginx and systemctl restart box.

  • Incorporate a WAF built into cloudron

    Feature Requests
    7
    6 Votes
    7 Posts
    1k Views
    girishG

    @wind-gmbh FWIW, we don't use the upstream distro packages. We use the packages straight from nginx.org since they provide better security fixes - https://nginx.org/packages/ubuntu/pool/nginx/n/nginx/ . Looks like https://nginx.org/packages/ubuntu/pool/nginx/n/ is the pre-built modules they have.

  • Cloudron dropping packets from router

    Solved Support
    8
    0 Votes
    8 Posts
    978 Views
    girishG

    @reachableceo thanks for the update!

  • Firewall per domain/container

    Feature Requests
    5
    5 Votes
    5 Posts
    818 Views
    P

    @jodumont I recently posted about crowdsec under feature requests.

    I think crowdsec is more appropriate, afaik, for cloudron

  • Open port 5080

    Solved Support
    3
    0 Votes
    3 Posts
    614 Views
    johnsonsebireJ

    @girish Awesome. Thank you for the help!

  • 1 Votes
    4 Posts
    610 Views
    C

    hey @nebulon,
    no, only 2-3 ports tcp/udp (wireguard/snmp/ssh)
    and it happened inbetween again, without any reboots/upgrades/etc. I got notfied by network mgmgt system, that my cloudron server is down - luckily it was just the firewall…

  • Limit IMAP access

    Moved Feature Requests
    19
    0 Votes
    19 Posts
    2k Views
    potemkin_aiP

    @fbartels I do believe you.

  • 0 Votes
    14 Posts
    2k Views
    C

    @nebulon Fantastic, thank you!

  • Restrict Dashboard Access - Cloudron v6.1.2

    Support
    5
    0 Votes
    5 Posts
    803 Views
    potemkin_aiP

    @girish said in Restrict Dashboard Access - Cloudron v6.1.2:

    @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

    I didn't test the solution yet, found it with people referring as a working one, so I have hopes.

    The idea is to modify /etc/ufw/after.rules to contain:

    # BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :ufw-docker-logging-deny - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " -A ufw-docker-logging-deny -j DROP COMMIT # END UFW AND DOCKER

    Why not just enable 2FA on the dashboard?

    It's a different security layer. 2FA relies on the code, which is much more complicated, as opposed to network level filtering.

    What is more complicated could have more issues.

    So, whenever possible, I close any code from outside access - everything have bugs, some of them are in security space, even if you are OpenBSD 🙂

    Do you believe this could become part of the system?

    I would really like to deny from all with allow from xxx.xxx.xxx.xxx with periodic firewall disable for let's encrypt.

  • Why does cloudron block ports?

    Solved Support
    4
    0 Votes
    4 Posts
    851 Views
    C

    Tha

    @d19dotca said in Why does cloudron block ports?:

    @cumpal Cloudron expects to be the only one running on the server, so for security reasons it locks it down unless needed by Cloudron or any of the apps on it. If you need to modify it, I think you can just update the firewall rules manually in Ubuntu, though I've not done that part myself as no need for it yet. but hopefully that at least explains why it's locked down. You may want to review the Cloudron docs on security features too.

    @girish said in Why does cloudron block ports?:

    In addition to what @d19dotca said, you can whitelist extra ports using https://docs.cloudron.io/networking/#whitelist-ports . Please use this at your own risk, we don't recommend installing other software alongside cloudron .

    Thanks for these replies! I got them working.

  • Block access to all IPs, but one + firewall admin problem

    Solved Support
    8
    0 Votes
    8 Posts
    1k Views
    robiR

    There is an allow list file, but you have to access it from ssh. It should be in the docs.

  • FW stops workung after update

    Support
    2
    0 Votes
    2 Posts
    302 Views
    girishG

    @chymian-0 Did you whitelist the ports or did you use iptables/ufw directly? We only support https://docs.cloudron.io/networking/#whitelist-ports

  • 2 Votes
    2 Posts
    317 Views
    P

    @robi Wow Robi, this is a great feature request!!! Just yesterday one of my Cloudron instances got a lot of traffic to email for a bruteforce attack.

    @girish I think this feature have to put on the top of the list to improve safety but also to reduce workload of instances and network traffic...

    Schermata 2021-01-13 alle 09.49.21.png

    This is a statping how network performances was impacted before and later bruteforce.

    Also, need a robust alert system - email or other - to let us know that something is happens.

  • FYI: arp/ip/ip6tables is no longer available

    Discuss
    2
    0 Votes
    2 Posts
    2k Views
    girishG

    Thanks for the heads up. We don't really use any of these tools but something to keep in mind. We do use ipset for the firewall block list, but it seems to work fine with Ubuntu 20 though.

  • Format for IP Blocking

    Solved Support
    3
    0 Votes
    3 Posts
    490 Views
    robiR

    @shai said in Format for IP Blocking:

    If you are curious, blocking China and Russia came to 19,000 rows. Cloudron didn't stutter.

    The firewall does. It will take progressively longer to make fw changes as you keep adding IP blocks. Not an issue for one time things, but something to keep in mind.