I finally have some good news.
remember when I lost my original domain?
well the good news is, I managed to get in contact with 1 of my admins, who access to the cloudflare dashboard, and was finally able to get back into my domain. I have enough admin access to where I can do well, everything. it may not be my OG account, but I did manage to get my access back with a new account, which is great.
i've ebbn trying to get that superier to get things back, and finally I have it.
now Alex is gonna get a synology Nas in his home, and we'll host things off that.
might have him get a firewall, just for good measure.
editionally, I might have him search for a firewall, just for good measure.
still would be nice to get cloudron working with cloudflare tunnel...
this time, I have saved and backed up my codes so I won't lose access again
adisonverlice2
Posts
-
some good news finally.. -
qemu for web VMshello:
I would like to run web VMs directly from cloudron, so I think there should be something like qemu for cloudron.
it could run with https running on something like spice HTML5
you should also check these out.
https://nashcentral.duckdns.org/projects/vmlab.tar.gz
https://github.com/freedesktop/spice-html5
I think this could be used to deploy qemu on cloudron in order to run web based VMs -
fido2supporti'm glad i've made this more of a trending topic on the forum.
this should push more support for FIDO in cloudron. -
hi guyshey everyone.
its been a wile.
i had to make new account, as i have my 2FA codes lost.
i also lost the 2FA key to my password manager lost, so i couldn't get in my cloudron forum account.
but hey, at least being locked out is better than getting data stolen.
sorry i've been gon.
during my time, i still have not found any good hosting solutions, but i'm still working on it.
write now, i'm havintg to recover some of my accounts.
but hopefully i should be back on track soon. -
yet another way to do cloudflare tunnelshi
i have another solution for cloudflare tunnels that y'all might like.
my idea was that during the setup or adding domains, you are asked for your domain provider.
in stead of choosing cloudflare, they could choose something like "cloudflare tunnel" or something like that.
during installation of an application, you would be asked for the token given by cloudflare tunnel when setting the thing up.
of course, you would first have to setup your my dashboard, in witch you would need a tunnel.
the cool thing is if i remember right, multiple subdomains can be setup in cloudflare tunnel, allowing for multiple domains and or subdomains.however, given that cloudron uses docker containers, you would probably need multiple tunnels, though i can traid that.
o right, before i forget. it should also give you the IP you need this tunnel to go to, along with the port. very well needed when setting up cluodflare tunnels.
for example, 1.2.3.4:9000, sense i'm aware docker containers have different IPs (i believe they're private IPs) and ports.
yes, i'm aware that it cant protect things like SMTP and stuf, but i think it works with (most) services. -
passwordless.devhi everybody.
I wantt cloudron ot have a application called passwordless.dev
@nebulon if I remember correctly, said 2FA via passkey is not supported very well in cloudron.
however, with passwordless, all you would have to do is install a few libraries, which makes it easy, and the user would have to just provide an API key and such in their dashboard to get logged in. -
Cloudflare Tunnel? -
question about SAML authenticationhello.
I was wondering if cloudron could act as a SAML2.0 IDP for users.
thanks in advance -
fido2support@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
My recommendation to clients is usually to go with FIDO hardware keys and/or passkeys - especially for mission-critical stuff, thus I cannot recommend Cloudron because it does not support it
Ref. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, https://www.sectigo.com/resource-library/how-phishers-take-your-one-time-passwords, etc
what you could also do is see if you can get bitwardens business plan, and have it self hosted. then , you could setup a policy that forces all users to login with their passkey. then they could put their TOTp tokens in there.
this does take a little longer, but it's better than nothing. -
how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.hello:
this is how I caught a hacker who had maybe hacked into 1 of my old colleagues accounts, older1's to be procise.
so it started on when I had my old email adison.verlice@blindsoft.ent thanks to Google workspace.
now unfortunately, we had to get rid of that because Alex (the sites CFO and domain administrator) was not making his payment so n time to GWorkspace, or didn't pay at all because we had recently moved away from Google domains, because it was being transferred to square space. we really didn't reset it up because I think we didn't make it in time to, so I had an idea. I would use cloud flare routing, which sends emails to my personal imbox, and allows me to use my email as an alias.
with that I also had a catchall imbox for anyone (anyone) (yes, even you) who sends emails to my relay. for example, I think I have cloudron@blindsoft.net as my cloudron email (which I have dropped btw heh heh heh heh you cant send me summaries) and because of this, all emails unless dropped get sent to me.
now to give you an idea of how I have my personal email setup, I have 3 layers of security tied to my email account.
first off, you need the email and, well, password.
then you need my passkey or, as a backup, my TOTP.
finally, you need a second password which is needed to get into the imbox itself.
I secure shit like the NSA.
so an old email that was part of the Googleworkspace stack that I never relooked was alchappers@blindsoft.net. this, of course, was alex's sourta aliases. now what immediately struck me was when an email came in my spam folder, and touched the address which, of course, I intercepted right away. well, I didn't even have to do anything manually, it was all done for me.
but either way...
I get this email and what struck me immediately was the fact the name on the email wasn't "Alex Chapman", it was his password to most of his accounts.
now what immediately caught my eye (or ear because I'm blind) was the fact this hacker new his password to what he got into was his Google workspace account...at least at the time, as that was required to be changed around sometime ago before the hack, as part of our password policy, which required a 30day password change.
he also claimed he had...videos...of Alex (I'm not gonna get into details of what kind because it'd probably go against cloudrons TOS) and requested almost 1200 dollars for removal of any harmful software he put on, etc.
but the hacker made a critical mistake, and now I have his Bitcoin transactions on my computer.
you see, you all know Bitcoin, right?
well, thing is...it's not anonymous.
if I have your Bitcoin wallet, I can trace all of your transactions, from what you sent, to what you received on the blockchain.
if any of you (any of you) would like to view his transactions on the blockchain, here they are
currently, I think he has around a thousand dollars in BTC, so he's made a few bucks.
now scam or not, this does seam something bad. I'm gonna post some parts of the email to you, but I'm also gonna redact other parts, because it does contain some sensitive information, like his password that btw, he uses on most sites.
and yeah, that's chapter1 of how I intercepted a hackers message. -
how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.interestingly, even though it can be updated, humanware has decided not to update the braillenote any ferther than android8.0. I actually spoke with a technical guy about it. and while i would like to port it over to android 13 or better, i'm afraid I could lose the braille technology (such as keysoft) or lose the braille display abilities.
-
how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.so here is a new, and possibly the final update.
the situation has not worsened, and turns out that I believe he as blackmailed.
so i'm happy to report that the hack was pretty much false.
soundsl Ike this guy just wanted some clout or some money.
I have no ferther intensions of sharing his Bitcoin wallet information, if you want to see that head into the first post on this thread.
but I think we can consider this closed.