Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Harden security features

Scheduled Pinned Locked Moved Feature Requests
6 Posts 5 Posters 558 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • imc67I Offline
    imc67I Offline
    imc67 translator
    wrote on last edited by
    #1

    In this thread https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4?_=1637136154239 long time ago a lot of suggestions where offered to harden the Cloudron security.

    Still today IMHO we are still blind in for example failed logins, rate limiting, etc.

    Is Cloudron audited? Is it an idea to gather ideas to harden Cloudron like mentioned in that thread?

    girishG JOduMonTJ 2 Replies Last reply
    6
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #2

    There is no external audit happening at the moment.

    Rate-limits on the login routes is implemented by now, for further recommendations I guess we should just handle those as separate feature requests here and have a discussion on the individual points.

    1 Reply Last reply
    4
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to imc67 on last edited by
    #3

    @imc67 things like the FreeScout IP logs are just packaging bugs. If you report them separately, we can fix them. I pushed a new FreeScout package that fixes that, but you get the idea. Would be easier to discuss if the features/bug reports are broken down to separate topics.

    1 Reply Last reply
    3
  • JOduMonTJ Offline
    JOduMonTJ Offline
    JOduMonT
    replied to imc67 on last edited by JOduMonT
    #4

    @imc67 said in Harden security features:

    Is Cloudron audited? Is it an idea to gather ideas to harden Cloudron like mentioned in that thread?

    Not audited, but I looked at the code
    As mentioned by nebulon; Cloudron have rate limit, which is great against bruteforce attack (bots and humans attack).

    But as they seem to forget, they also implement AppArmor, which contains the scope of action of each container and suggest you to change SSH port.

    They also actively maintain their codes and do regular updates of all the apps and their stack (NGINX, ....), which might sound little but is, in reality, a big win in security.

    So basically Cloudron is potentially vulnerable via OpenSSH, NGINX, Haraka, Container Evasion and weaken certificate (SSL/TLS,...).

    • OpenSSH; as recommended in the doc, you should install Fail2Ban and change the port
    • NGINX; NGINX team is pretty serious about security, so doing update and knowing the nginx rules are the key
    • Haraka Mail; Hum I don't know this one
    • Container Evasion (Docker): AppArmor is better than nothing, after that, I personally mount /var/lib/docker with nodev, noexec but I'm not even sure that help.
    • Weaken Certificate: you could scan your domains, but A+ at school was enough for me 😉

    Otherwise,

    • you could close ports with a frontend firewall (at your host provider) you don't use, such as POP3, HTTP (80), ...
    • enforcing the 2nd authentification
    • and vote for implementation of applications such as CrowSec.

    Also; be sure to deploy reputable applications and be active in these respective apps communities.

    1 Reply Last reply
    3
  • JOduMonTJ Offline
    JOduMonTJ Offline
    JOduMonT
    wrote on last edited by
    #5

    It is not directly related to Cloudron, but I just started to use Cloudflare Access to secure my Self Hosted server at home (not a cloudron). It is a ZeroTrust solution per subdomain (https://developers.cloudflare.com/cloudflare-one/).

    My gateway only have HTTPS and SSH open and HTTPS is behind Cloudflare proxy; I know you have to trust Cloudflare as man in the middle...
    And then to access any subdomain which pointed to that server, the person need to be part of my GitHub team and be authenticated by GitHub.

    So why I'm posting this here ?
    fda4cf55-bc5a-4fa0-8a0b-9639c53e106f-image.png

    1. it is easy to setup, while the One-Time Pin didn't work well for me
    2. maybe Cloudron would like to
      2.1. implement it into their DNS option (but will look Cloudron is in favor to Cloudflare)
      2.2. provide and identifiy authentification via SAML (if it is possible)
    3. it is very easy to implement and make any apps/dns ultra secure.
    4. did I said it was very easy to setup ??? 😉
    fbartelsF 1 Reply Last reply
    0
  • fbartelsF Offline
    fbartelsF Offline
    fbartels App Dev
    replied to JOduMonT on last edited by
    #6

    @jodumont said in Harden security features:

    provide and identifiy authentification via SAML (if it is possible)

    SAML is an old and outdated protocol (that is also hard to work with), a more modern alternative is oidc (OpenID Connect, a standard based on Oauth 2.0), which is also offered in your screenshot.

    1 Reply Last reply
    3

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.