Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Enormous Security Hazard

    Support
    cloudflare
    5
    8
    227
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Refugee_Ranger last edited by girish

      I made this account specifically so I can describe a gaping Cloudron security hole without further endangering any refugees. Anyone assisting those fleeing a war zone is liable to receive attention from the intelligence services of their state of origin.

      I installed Cloudron on a system and configured it to work behind Cloudflare. Cloudron gets Cloudflare API access and manages DNS. The firewall on the machine is set to only permit http/https from Cloudflare's known IP prefixes.

      There are certain applications, WHM being the one I noticed, where Cloudron will configure Cloudflare for DNS only. There is no warning that you're about to expose the public IP of your system, it just does it. This is catastrophic exposure, even if the system does not respond.

      Once the public IP is known the system is exposed to denial of service and intrusion attempts. An attacker can easily find all IP prefixes in use at the hosting facility and provide similar attention to every other system there. Even if the Cloudron host is secure, the attacker will find systems that are not secure, and use this to encourage the hosting firm to cancel the service of the intended victim.

      If this is something that can be handle with a configuration within the system, it should be made MUCH more obvious. An alert should happen for any change that will expose the IP address of a system configured for Cloudflare. If there is no way to enforce a Cloudflare only policy, that reveals an astonishing poverty of imagination on the part of the developers.

      I'm going to go look at some things, but I suspect that later today I'm going to have to inform the board that we had a dangerous leak, and that this forces us to change hosting providers.

      robi girish 2 Replies Last reply Reply Quote 0
      • nebulon
        nebulon Staff last edited by

        Hi there, I am not exactly sure which app you mean by WHM. Also note that any service which is not on 443 will not be proxied through Cloudflare anyways, but in your case probably should simply not be reachable to not expose the IP.

        jdaviescoates robi 2 Replies Last reply Reply Quote 0
        • jdaviescoates
          jdaviescoates @nebulon last edited by

          @nebulon said in Enormous Security Hazard:

          WHM

          Possibly WBO Whiteboard? Seems the closest. 🤷

          I use Cloudron with Gandi & Hetzner

          1 Reply Last reply Reply Quote 0
          • robi
            robi @Refugee_Ranger last edited by

            @Refugee_Ranger While the default is to use Cloudflare for DNS only, as it's required to install and set it up, you can manually switch any Apps you like to proxied as long as they're on port 80/443.

            Life of Advanced Technology

            1 Reply Last reply Reply Quote 0
            • robi
              robi @nebulon last edited by robi

              @nebulon @jdaviescoates

              https://www.qwant.com/?q=WHM

              Life of Advanced Technology

              jdaviescoates 1 Reply Last reply Reply Quote 0
              • jdaviescoates
                jdaviescoates @robi last edited by

                @robi said in Enormous Security Hazard:

                https://www.qwant.com/?q=WHM

                Can't be Web Host Manager though, as there isn't Cloudron app for that is there?

                I use Cloudron with Gandi & Hetzner

                robi 1 Reply Last reply Reply Quote 0
                • robi
                  robi @jdaviescoates last edited by

                  @jdaviescoates I read it as a contrast to WHM, which is an app, not as a CL App.

                  Life of Advanced Technology

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff @Refugee_Ranger last edited by

                    @Refugee_Ranger said in Enormous Security Hazard:

                    Cloudron will configure Cloudflare for DNS only

                    By default, Cloudron configures any new app for DNS only. You have to go to the Cloudflare dashboard to enable proxying. Once you enable it in Cloudflare, Cloudron will preserve the proxying flag.

                    1 Reply Last reply Reply Quote 2
                    • Topic has been marked as a question  girish girish 
                    • Topic has been marked as solved  girish girish 
                    • First post
                      Last post
                    Powered by NodeBB