@necrevistonnezr There is no fail2ban on Cloudron. Currently, we just rate limit all authentication routes to minimize risk (and with 2FA and app passwords risks are even lower now). We had a plan to implement firewalling this release (rate limits per IP, block specific IP etc), but already changes were piling up. So, we will have some more advanced firewalling features in a future release.

Just to follow up on this. Now that we have owner role in Cloudron 5, install/update/repair/exec of apps that use the docker addon is restricted to owner in 5.1. This then means that an admin cannot get access to some shell and access docker and hijack the system. On a technical note, docker is accessed by apps via proxy. This proxy verifies that only apps that request the docker addon can access the docker API. The proxy also ensures that random volumes cannot be mounted (only /app/data of the app can be volume mounted).

@girish All these years and it’s still a pain >_< Edit: I’m referring to Linux distros ofc, not Cloudron.

@girish I second this

@necrevistonnezr this was the one https://forum.cloudron.io/topic/1971/urgent-security-issue-in-nginx-php-fpm

@necrevistonnezr Thanks, good to know. Will keep an eye for the ubuntu update. Cloudron is not at risk because we only use it internally (it is not exposed via public port). We also don't use NOTIFY query (this is a zone change notification across dns servers) as we use unbound as a recursive resolver and nothing more.

I guess this should come in as an nginx update via ubuntu at some point. We don't package nginx ourselves.

@Miggi I love the idea, however - One issue I see with this is the claim of being better than OpenVPN, but no certification by a reputable security firm like OpenVPN. I have tried Wireguard though - amazing how fast and easy it was to configure. But just not old enough to be considered stable - yet.

@ahkg the reason for whitelisting 172.18.0.1 give access to all requests, is that this is the ip of the Cloudron internal gateway into the subnet where all apps are running. Unfortunately for your case the cloudron healtcheck also comes via this gateway. I think your htaccess file needs to check for the X-Forwarded-For header to check against the correct inbound address.

I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0 For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.