Security issue when installing/restore Cloudron on same VPS?
I was thinking about the following scenario (i.e. whenever you want to have restore or a 'clean upgrade' to Ubuntu 20.04 on the same VPS/IP) but it might lead to a security issue?
- On a VPS you have a running Cloudron with traffic
- You have a very recent external backup to use for restore
- Wipe/format the SSD of your VPS and do a clean install of Ubuntu with or without Cloudron-image (if without, install Cloudron manually)
- After Cloudron install you have the situation that every visitor of every app (i.e. high traffic Wordpress sites) will end up in the Cloudron Domain Setup and can mess up whatever they want because DNS of all (sub-)domains are still present and resolves to IP
What I would like to see is that after Cloudron install, the response on the IP-only is a decent "Coming soon" page (un-branded) and a special "hidden" URL (there is already the setupdns.html) where the admin can start configuring and restoring? It's also much nicer for "clean installs", it prevents "old" IP traffic or crawlers from running into setup?
@imc67 I just migrated a Cloudron server between cloud providers with a restore, and my solution was to serve downtime / maintenance pages from the edge of the Cloudflare network. Worked flawlessly. Without Cloudflare in the mix (I know folks have very mixed opinions), you could just pull a new IP for the box (DNS will be auto-updated to the new one upon restore) so that the old one just 404s, or you could use firewall rules at the provider or box level to restrict inbound traffic to your management network temporarily.
This is mostly just to lay out the current options - there may well be merit to the obscure URL trick as well, and that's worth considering in Feature Requests perhaps as well for further discussion.
The cleanest solution, from a security standpoint, would be to display a random password in the terminal when installing Cloudron, that would be required by the server setup page.
Pre-installed Cloudron images would need to have a set password, so be a bit less secure, but it still would be good.
For the aws marketplace, we already implement this with asking for the ec2 instance id during setup.
I guess for a start, we can have an option in the setup script to generate a passphrase and then maybe make this the default in a future release?
@girish that would be great, but even better in combination with on bare IP a "coming soon" page and setup on a specific URL.
@girish thanks again for this!