URGENT HELP NEEDED - IP Blocked - Unable to remove app

@BrutalBirdie that's a good test and thank you for sharing your findings! It should serve as a warning to anyone who just clicks 'install' o.O

@BrutalBirdie thank you for your detailed response.

Yes, I should have done better and was ignorant about my little file sharing app not being abused. It was convenient for getting customers to share large files and I didn't think somebody outside a very small group would find it.

That was very small minded and ignorant of me! Perhaps, this can serve as a good example of what NOT to do

I am taking your advice and agree that 'life will find a way'. I will make it harder for it to do that

Hetzner's barrage of automated messages and their support team not listening to what I was saying really drove me up the wall tonight. I agree with you that they cannot be expected to know what Cloudron is (it's great - especially its community), so I tried to explain to them what I needed.

It was simply a temporary lifting of the block for my static IP at the office, so I can access the GUI. They finally relented and lifted the block but sadly for all. I was quick, so hopefully it minimised the risk of further files being shared!

I know they do the right thing, and I would I have done the same in general. The nuance is the method of communication and lack of 'listening', while repeatedly asking for the same info. It felt like talking to a wall.

I would improve their process by adding SMS notification or even a call to the number they have on file for me (and customers in general). That and limiting to 'we confirm we have your email' to once per thread, not every single message.

For Cloudron, I hope we can add a note to the docu to help anyone who is finding themselves in a similar predicament and don't have you or a member of the community around to remind them of how to find app ID's

I stopped using Docker and Portainer to enjoy SysAdmin life in blissful ignorance by using a GUI.

Thank you, @BrutalBirdie. Have a good evening.

The Hetzner system is horrible. They now send an automated reply to let me know they got my message to every reply I send them lol

Another thought, how can I be more proactive and monitor / stop customers or the great unwashed masses from uploading horrible crap?

Can ClamAV scan for abusive content?

I looked at the docker route but couldn't find the right ID. I was about to nuke the entire server and pull it to a local VM from backup. The backup is 180GB+, so it would have taken an age thanks to the throttling of the backup server.

@BrutalBirdie said in URGENT HELP NEEDED - IP Blocked - Unable to remove app:

For what reason? And what exactly do you mean by blocked? Did you get a mail that says your account is blocked/locked? If you, you would have no access via VNC.

Some asshat used my Jirafeau app instance to host very bad stuff!

Hetzner sent an email I didn't see until after the one hour deadline they give you to respond. Then blocked my server's IP address.

The worst thing was they didn't listen or want to understand that I use Cloudron and have no way to remove the offending share links without accessing the GUI to remove the app.

Just stopping the app from CLI would have been handy.

They finally relented and gave me access to the GUI, so I could stop and remove the app!

How can I purge it from all backups?

Hetzner blocked the IP of my server and I only have SSH access via the VNC console.

I need to stop and remove an app from the system but there's nothing in the documentation that helps me.

Please can somebody help me?

Nice one!

Thanks for providing feedback. I'm glad I could help.

Wow, @BrutalBirdie, that's some speed!

I am using VM's (currently Hetzner) and backup to StorageBox as well as VM snapshots. I had a bare metal box at Hetzner before, albeit with spinning disks of rust instead of the super fast NVMEs you are running. It took more like 6 hours to restore when I moved (on a weekend).

I look forward to having multi-location backups and used a similar means to achieve redundancy. I backedup to a local SAS HDD (ext4) and then ran a cron job to shovel a copy to StorageBox.

I wish we could have Borg backups (with multiple repos/locations) @girish

Thanks for sharing details about your Cloudrons.

How do you handle recovery from a borked server?

I find that using the build-in backup not very good for speedy restores of an entire server (your milage may vary depending on sizes). That's why I use them for tactical restores or cloning of apps only, unless I have to move a server between providers (which I try to avoid). A local VM snapshot appears to be the fastest in my experience.

My RTO (Recovery Time Objective) is to have the server backup and serving within one hour. My most common scenario is likely to be an update or change of system configuration that results in loss of service. Considering that IP's don't change, this seems to work OK.

I'd love to hear your experiences

@nebulon and you added the lovely list view too

Danke, @luckow That's interesting. What are you hosting the Cloudrons on?

Fun question for a sunny day... how large is your Cloudron or one that you have come across?

For context, I am trying to figure out whether I want to scale vertically or keep scaling horizontally with my Cloudron. I have tried running two and would prefer the reduced maintenance of a single one... because... er- efficiency

Issues I can see are much longer backups and restores, if they were needed. Although, I use Cloudron backups mostly for migrations (very occasionally) and to manage individual apps. I use VM snapshots for disaster recovery (DR) purposes as they are much quicker.

What's your experience? How big would you go?

Let me know

Hey @jordanurbs, you are not the only one It should be much better documented.

Anyhow, here it goes:

To connect Zapier to a self-hosted Cal.com instance, follow these steps:

TL;DR

• Invite Link == Whatever sequence of random numbers and letters you want (aka API Key!)
• Note that the invite link / API key
• Create an app for the connection in Zapier's dev account

Log in to your self-hosted Cal.com instance as an admin.

1. Navigate to the settings/admin/apps section of your instance
2. Enable the Zapier app in your Cal.com instance and set the necessary app keys
3. Generate an API key specifically for Zapier integration (https://<yourinstance>/apps/zapier/setup)
4. In Zapier, create a new Zap and select Cal.com as your Trigger app
5. When prompted, enter your unique API key generated from your self-hosted Cal.com instance
6. Test the trigger to ensure the connection is working correctly

https://github.com/calcom/cal.com/blob/main/packages/app-store/zapier/README.md
https://developer.zapier.com

@necrevistonnezr said in fido2support:

And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forget those hardware keys somewhere.

Ah, yes. That could be a hindrance or mild annoyance. I find that having a password manager that supports passkeys is helpful as a fallback or a primary way to log in. That, or having users have two physical keys ideally. How do you create backups for FIDO2 keys?

Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.

I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0

What's your experience been?

To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.

My recommendation to clients is usually to go with FIDO hardware keys and/or passkeys - especially for mission-critical stuff, thus I cannot recommend Cloudron because it does not support it

Ref. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, https://www.sectigo.com/resource-library/how-phishers-take-your-one-time-passwords, etc

Sorry I didn't make myself clear, @girish The timezone displayed in Cloudron's settings should be BST (British Summer Time) instead of UTC+0, it should be UTC+1.

"In the UK the clocks go forward 1 hour at 1am on the last Sunday in March, and back 1 hour at 2am on the last Sunday in October. The period when the clocks are 1 hour ahead is called British Summer Time (BST)." - gov.uk

For example, my local machine shows:

axel@localhost-live:~$ timedatectl
               Local time: Mon 2024-08-26 12:11:54 BST
           Universal time: Mon 2024-08-26 11:11:54 UTC
                 RTC time: Mon 2024-08-26 11:11:54
                Time zone: Europe/London (BST, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no