Cloudron Forum

Like Hetzner, Contabo also offers DDoS protection:
https://contabo.com/en/ddos-protection/#what-are-the-limits-of-contabo-ddos-protection

From Claude AI:

Here are a few key points comparing layer 7 and layer 4 DDoS mitigation for protecting websites that stream audio/video:

Layer 7 (application layer) DDoS protection can detect and mitigate more sophisticated application-layer attacks that target weaknesses in the web application code, such as HTTP floods, low and slow attacks, and exploits that abuse APIs.

Layer 4 (transport layer) DDoS protection focuses on network and volumetric attacks like UDP and ICMP floods which aim to consume bandwidth and overload infrastructure.

For streaming websites, a hybrid approach providing both layer 4 and 7 mitigation is recommended. Layer 4 protects against bandwidth-exhaustion attacks while layer 7 covers exploits at the application layer.

Top providers known for DDoS protection services include Cloudflare, Akamai, Imperva, F5 Networks, and Radware. Specific solutions include:

Cloudflare Magic Transit and Spectrum
Akamai Prolexic Routed
Imperva Advanced DDoS Protection
F5 Silverline
Radware DefensePro
Features like behavioral analysis, per-client throttling, SSL decryption, and integration with CDNs and DNS services make these robust protections against network and app-layer DDoS attacks.

In summary, combining layer 4 and 7 DDoS mitigation from a reputable provider gives streaming sites the best protection against volumetric bandwidth attacks and application exploits. Cloudflare, Akamai, and Imperva are leaders in the space

@LoudLemur I use cryptomator to encrypt sensitive files that I have on my nextcloud. Your use case is a bit trickier as you have multiple people working on the same file simultaneously. Take a look at the existing apps in the App Store like collabora, onlyoffice, and cryptpad. Cryptpad might be your best option though as it’s end to end encrypted.

Edit: There’s also baserow and noco. I’m not sure if the databases are encrypted.

@andreasdueren I'd be cautious about implementing it then. Cloudron hardens your server enough - doing more by installing more software, which is NOT recommended, will only lead to problems, especially if you don't already have a deep enough understanding of what is happening. It seems to be that @BrutalBirdie's gang knows their stuff (they're using Ansible to install Cloudron??? Yeah, that is next level coding there). Of course, they may also be paying for the Enterprise level of service (I'm not asking btw, no need to respond to that @BrutalBirdie ) so if they have hassles then I suppose it's fine for them to get help beyond typical Cloudron support, especially if they are doing more to their servers than what Cloudron themselves advise.

Also stumbled on this one last week:
https://web-check.xyz/

Selfhosted:
https://github.com/Lissy93/web-check

And a little explanation on how this works:
https://www.helpnetsecurity.com/2024/02/26/web-check-website-open-source-intelligence/

@nebulon Thank you, I will investigate today and let you know.

I use vaultwarden for business related secrets or where customer data come into play. For my private stuff I still use Chrome sync but also want to switch to vaultwarden.

What came to my mind: By January, a lot of people will (hopefully) switch from Chromium sourced browsers to Firefox because of the manifest v3 implementation. Because I don't want to trust Mozilla nor Google, I tinker with the thought to host my own FFsync (Firefox Sync) server to be more independend with my "cloud" hosted data. Had to think about the risks because hosting something like vaultwarden might be safe but I was unsure if FFsync gets the same care.

This is fixed for next release with https://git.cloudron.io/cloudron/box/-/commit/3477cf474f32a51c62aef65015e615db62bca4f7

For the other feature request about domains, please make a separate thread there, but I can already say that Cloudron is still designed to work for a setup of one Cloudron per organization and not many maintaining isolated organizations on one Cloudron. This will add all kinds of complexities for the 99% use-cases Cloudron is currently used for.

@girish It sure did. I thought it was a simple matter of brute forcing 16 characters. I’m glad that’s not the case. Thanks for the clarification!

@nebulon thanks! I'm not getting my hopes up too far, but hopefully this will somehow also resolve all the issues that loads of the official plugins have when trying to install them on Cloudron...

Maybe @mehdi has some ideas here since he wrote the initial app.

If I understand correctly, you are trying to put the OpenVPN certs into openwrt and this somehow leaks DNS. How are you testing this?

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

Yes, as far as I understand each Nextcloud would initiate a document edit session with its own document URL and token exchange, so those should be isolated from one another.

@LoudLemur I have seen this idea implemented on some services now.

I guess this will only work for the Cloudron dashboard?

Thanks for the info, but we do not use this module, so we are all good.

Indeed, we use that angular version 1.5.8 and can look into updating that. Generally though I am not sure how one would exploit this in the Cloudron use-case. So I don't think it makes much difference. The only user-content which is dynamic in that sense would be the footer, but if the admin sets a malicious footer, I guess the situation is already an issue.

@potemkin_ai thanks for reporting.

It seems nfs-common depends on rpcbind which starts the service at port 111. rpcbind is only needed for NFSv3 . I have disabled rpcbind in the next release (8.0.1) . Cloudron only supports NFSv4 out of the box.

@nj Cloudro relies on Ubuntu LTS versions and security updates are enabled automatically (independent from Cloudron releases). So once the ubuntu securty team updates the kernels, all Cloudrons will get is as well. Since this is a kernel issue, you will likely see some "reboot required" notification in your Cloudron dashboard afterwards.

@girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.

https://www.cisecurity.org/benchmark/docker/

https://github.com/docker/docker-bench-security

Let me know what you think

@mastadamus thanks so much for investigating. I have removed it for next release (7.1) - https://git.cloudron.io/cloudron/box/-/commit/6492c9b71f80120413ff4ae7eefa2f03dc96ea0f