Thanks for the info, but we do not use this module, so we are all good.

Indeed, we use that angular version 1.5.8 and can look into updating that. Generally though I am not sure how one would exploit this in the Cloudron use-case. So I don't think it makes much difference. The only user-content which is dynamic in that sense would be the footer, but if the admin sets a malicious footer, I guess the situation is already an issue.

@dfoy yes, let us know what they say. Happy to make fixes, if any needed.

@nj Cloudro relies on Ubuntu LTS versions and security updates are enabled automatically (independent from Cloudron releases). So once the ubuntu securty team updates the kernels, all Cloudrons will get is as well. Since this is a kernel issue, you will likely see some "reboot required" notification in your Cloudron dashboard afterwards.

@girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.

https://www.cisecurity.org/benchmark/docker/

https://github.com/docker/docker-bench-security

Let me know what you think

@mastadamus thanks so much for investigating. I have removed it for next release (7.1) - https://git.cloudron.io/cloudron/box/-/commit/6492c9b71f80120413ff4ae7eefa2f03dc96ea0f

Both the old java as well as the bedrock edition have now been updated.

@girish ah i didnt even notice bevause of all the 4j notices my eyes where too open 🐶

thx for looking at this anyway

@jodumont I recently posted about crowdsec under feature requests.

I think crowdsec is more appropriate, afaik, for cloudron

@fbartels I do believe you.

The backdoor was removed before it was compiled into a binary for admins to download so there is no issue for anyone running PHP. However this does prove to be an issues in regards to PHP's safety - They have moved to GitHub (@girish mentions in his reply) and will be better closely monitoring pushes and merges into the code base.

PHP's Own Nikita Popov: "The changes were on the development branch for PHP 8.1, which is due to release at the end of the year" which means the code has not been distributed. It's a big deal but not as big as everyone is making it out to be.

Hopefully this does NOT happen again.

Ubuntu notice - https://ubuntu.com/security/notices/USN-4891-1

@mastadamus that will be very useful, thanks!

@girish agreed.

@imc67 I've published a new package which sets the getremoteaddrconf now correctly.
Since we only have one reverse proxy, the second setting was not needed in my tests. So this is untouched by default.

Thanks for the heads up. The new package is out now.

Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:

root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]

The current cloudron container has 1:2.2.33.2-1ubuntu4.6

@girish thanks again for this!

@girish also, I imagine if MailPile hadn't tried to make PGP easy as part of it the developer might not have burnt out and there might be a decent open source webmail app!

@nicolas There's a feature request to monitor network traffic at the app level. If we had that, we could have narrowed this down more quickly.

@robi Interesting feature. Could save development time. Thanks!

@murgero Yeah, makes sense.

This appears to be someone/bot trying out common usernames in one of your apps. Unfortunately this is not too uncommon, but also not an a real issue if you have strong passwords. The requests will be rate-limited as well to prevent proper brute-force attacks.

The internal IP is associated to an app, it may or may not change when an app is restarted. However the ldap logs might indicate there are multiple apps configured to use LDAP. The port is actually dynamic per request, so that is the reason why it does not show in docker ps/inspect

@girish I think all these % numbers are a bit misleading and opinionated - but as you rightly detail it's a case of looking at the appropriateness of each item and reasonability.

It's impossible to know or remember everything but still a nice too for a quick review to see if there's any easy wins, and I suppose the scoring mechanism could be handy marketing for some once a certain level is considered reasonably hardened.

@girish Done - https://forum.cloudron.io/topic/3777/support-optional-cloudflare-proxied-record-creation

This is implemented in 5.4

I think there's a genuine case in the future where if we introduce per-app admins, then app admin can access terminal of one app to see traffic (and sniff ldap/db creds) of another app. I think it's an excellent suggestion to remove it!

@girish The manual check method is good enough for me. If you do the release channel thing thats cool. But for those of us that a hungry, an extra few clicks isn't a bother.

@Hillside502 yes, that was a ui bug!

@staypath Continuing my conversation with myself 🙂

Posting this here in case anyone else comes across this with the same question: I found that configuring fail2ban to use systemd was the trick:

[sshd] port = ssh #logpath = %(sshd_log)s #backend = %(sshd_backend)s backend = systemd enabled = true maxretry = 1 bantime = 14d