Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    UNSOLVED Additional Ubuntu Hardening

    Support
    2
    2
    138
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ochoseis last edited by

      I'm planning to colo a small server to host my cloudron, and want to make sure I've got it secure enough without getting in the way of Cloudron. I'm going to follow most of the advice in the Cloudron security guide. Beyond that, there are a few other things I can think of:

      • Enable livepatch
      • Run something like this Ansible hardening role. I need to know if any of these things would conflict with Cloudron:
        • Allowing only signed packages
        • Removing a few packages
        • Removing setuid bits from a few binaries

      During setup, does Cloudron already do any of those steps anyways, and / or would they conflict with Cloudron (e.g. does it rely on any unsigned PPAs)? As much as possible, I'd love to rely on Cloudron to handle this so I don't have to think about it.

      1 Reply Last reply Reply Quote 1
      • nebulon
        nebulon Staff last edited by

        Generally doing any additional system configuration or removing/adding other ubuntu packages to the system is not supported, since we cannot test such variations for updates.

        Cloudron already only installs signed packages. Enabling livepatch should be ok to do.

        For all the other things happening through that ansible role, we would have to go through them one by one and test accordingly. We will not support running such hardening scripts automatically, there are too many of these out there. So if there are really good reasons to disable/configure system components for security we can investigate. Often security roles don't even apply to Cloudron if the corresponding components are not even used.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post