Please update to 6.15.14

mm, strange I just checked our instance and all seems to work as expected.

1. logging into the admin: all seems fine
2. opening a survey in a private browser tab: all seems fine

@growco said in Unstable: Meaning and will it change soon?:

Do you use the free community version for that? Any restrictions you faced with the community version so far in your environment?

The app in the Cloudron Appstore is the Community version, as far as I know no other options than that.

As far as I see everything works, even the apps (iOS I tried) can easily be connected to scan tickets very fast.

More info: https://pretix.eu/about/en/pricing/selfhosted

@ccfu said in Unstable: Meaning and will it change soon?:

@imc67 The app only works with the enterprise version though, right?

The Pretix version is Community, so no fees, you can use it immediately (but after a steep learning curve for the admin as there are many many options).

This is my experience until now: I use it for our museum only recently, the first two lectures are now for booking and it seems to work very well. At least the visitors (generally 50+) know how to use it. October 5th is the first lecture and the volunteers will use the app to scan at entry. I tested it thoroughly and it works very intuitive.

The subject of mail archiving is interesting and this piece of software (Mail Archiver) too. It would be great to have this as an app in the AppStore.

WP-Rocket on every site: https://wp-rocket.me/

@girish said in Server security update reboot: SFTPGo doesn't start:

A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead

Maybe you can explicitly mention in the update notes the default / advised ports? Existing installs will not be moved to the "new" ports and thus keep having issues?

@girish and @James I just updated SFTPGo to 1.1.0, don't see differences, portrange is still 41000 but I also can't change it to ie. 70000, the field becomes RED.

EDIT: I can change it to 61000

@girish good founds! It's also the same issue with MiroTalk (what I know of and experienced) but maybe more apps?

https://forum.cloudron.io/search?term=bind%3A address already in use&in=titlesposts

said in Server security update reboot: SFTPGo doesn't start:

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

@girish is this a bug? There are more topics with the same kind of error message

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

Thanks to ChatGPT I could solve it:

"Something" outside Docker was claiming this port

sudo kill 940

Killed this connection, now the restore worked and the app started.

BTW: I also restarted Docker via the GUI but it also didn't solved it.

@james said in Server security update reboot: SFTPGo doesn't start:

You can also run the following on your root:

lsof -i :41090 -S
to see if really anything is using that port.

yes:

~# lsof -i :41090 -S
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ssh     940 root    3u  IPv6  25971      0t0  TCP [2a03:****:5f:dc5:48ba:****:fe45:61f0]:41090->[2a01:4f8:****:1635::2]:telnet (ESTABLISHED)

What could it be? I already stopped MiroTalk and Nextcloud

This morning I needed to perform a security update reboot and after that SFTPGo doesn't start.

Docker Error: (HTTP code 500) server error - driver failed programming external connectivity on endpoint 98d1b4c0-********-729c3077a061 (cec35e817f384c6cd2***1608926aff5ce2d176a64da69d4f): failed to bind port 0.0.0.0:41090/tcp: listen tcp4 0.0.0.0:41090: bind: address already in use

I tried to restart the task many many times (MiroTalk also has sometimes this issue), tried to restore a backup, etc. etc. .... it doesn't start.

Is there somehow a way to force this? My use of SFTPGo is critical as it is a central backup location for many "IOT appliances".

@umnz said in Per-application access rules:

@imc67 I'm not sure what you mean, Cloudron does have a Trusted / Blacklisted IPs and Fail2Ban support.

https://docs.cloudron.io/security/

You are answering your own question: look at the subject of this future request and then the docs. What you mentioned is on server level .... not app level

As mentioned here https://forum.cloudron.io/topic/14208/extra-algorithms-needed/ I discovered the gem SFTPGo for a very useful purpose, thanks @BrutalBirdie for the app, I think it is your credit for packaging it!

SFTPGo has plugins (https://docs.sftpgo.com/2.6/plugins/) which you can find here https://github.com/sftpgo/

I really would like to use the plugin sftp-plugin-geoipfilter (https://github.com/sftpgo/sftpgo-plugin-geoipfilter) for reasonable purposes, however I really don't know how?

of the "needed" algorithms only ECDSA (ecdsa-sha2-nistp256/384/521) is still allowed but considered less robust than modern alternatives, Ed25519 is strongly recommended instead, RFC 8420 – Ed25519 for SSH.

So I did this:

# P-256
ssh-keygen -t ecdsa -b 256 -f /app/data/sftpgo_host_ecdsa_256 -N ""

# P-384
ssh-keygen -t ecdsa -b 384 -f /app/data/sftpgo_host_ecdsa_384 -N ""

# P-521
ssh-keygen -t ecdsa -b 521 -f /app/data/sftpgo_host_ecdsa_521 -N ""

and added these to the config: Now it works!!!

Are these changes I did persistent?

... almost, this is the error when trying to login:

ssh: no common algorithm for host key; client offered: [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519 rsa-sha2-256 rsa-sha2-512]"}

Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:******"

Algorithms "ssh-ed25519"

Host key "/app/data/sftpgo_host_rsa_key"

Fingerprint "SHA256:******"

Algorithms "rsa-sha2-256, rsa-sha2-512"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!

However ....

One "IOT" device (Omada software controller) gets an error during connection:

client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]

According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:

    "host_key_algorithms": [
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "ssh-ed25519"
    ],
    "kex_algorithms": [
      "curve25519-sha256",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group-exchange-sha256"
    ],
    "min_dh_group_exchange_key_size": 2048,
    "ciphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr"
    ],
    "macs": [],
    "public_key_algorithms": [
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ssh-ed25519",
      "sk-ssh-ed25519@openssh.com",
      "sk-ecdsa-sha2-nistp256@openssh.com"
    ],

In the WebAdmin is says this:

SSH/SFTP server
Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:*********redacted*********"

Algorithms "ssh-ed25519"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

But the error keeps coming and the connection is not possible.

Anyone knows how to solve this?