RE: Cloudron external ldaps with OpenCTI

@BrutalBirdie I am working on it now and when I get done I will post it.

It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/

Just wanted to report that, I installed Wazuh/ossec agent on my cloudron server to grab logs and send to a security onion. I've been running it alongside the Cloudron now for a while. I've been getting alerts, logs sent back etc. Everything is going well. So if you want a HIDS on your Cloudron server, Wazuh works.

Any updates on jitsi meet?

Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.

---

Install crowdsec

sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec

(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.

Edit nginx.conf file to put in default logging.

• SSH into your cloudron
• using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
• We want to changed the logging section to look like it does in this example nginx.conf file.

user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format




    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not w                                                                             hole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeo                                                                             ut in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req                                                                             uest a second

    include applications/*.conf;

Install bouncer

sudo apt install crowdsec-firewall-bouncer-iptables

Install Log4j Collection

sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

Installation of crowdsec metabase docker dashboard

1. to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )

sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>

2. To make persistent.

• Identify the crowdsec/metabase container ID number

docker ps

• persistant command

sudo docker update --restart=unless-stopped <container ID number > 

Access metabase

1. you can access metabase by navigating to "http://yourIP:8181
2. your credentials will be crowdsec@crowdsec.net and whatever you set the password.

References:

https://docs.crowdsec.net/docs/getting_started/install_crowdsec

I'm not sure if you guys are tracking but unauthenticated RCE exploit just got dropped and is being exploited in the wild for log4j and log4j2 library.
This is used in a ton of products from apache struts to elasticsearch as the default logging framework.
Does cloudron use this and if so when can we get a patch?

I wrote a script that can do the following.

1. Check NGINX access.log for 404 and 403 response codes
2. Extract IP's associated and see if they are scanners/noise with the community greynoise API.
3. If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
4. If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.

You can find it here. Feel free to use/cut/slice tailor to your liking

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh

@rmdes https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes

I Love this app. I'm using my cloudron adguard instance as the backup DNS to my Adguard instance i have installed in docker on my router. That way all dns requests are filtered through my firewall allow/block rules list first prior to hitting the dns filters. This ensures my NGW block lists that operation at dns level can take effect. thanks for implementing this. Its working great.

@girish Over the next month, I'm going to go line by line through that CIS benchmark and implement it then check for functionality. Would you be interested in that report? My thoughts are if its compatible with Cloudron functions, it may be something worthwhile to implement as part of the install script prior to installing the actual Cloudron core components?

@girish Any update on support reverse proxy or adding this logging config as default?

@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.

1. Grabs all the IP's from emerging threats block list
2. Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then
3. Add both of these IP groups to that file and restart the service.

@girish If I add IP's to /home/yellowtent/platformdata/firewall/blocklist.txt will the automatically be blocked or will I need to restart the box service?

@micmc Yes you could easily take this script and use it for apache. The only think you need to do is look at your apache logs and see what position the source IP is in. the parts in the script where it does awk '{print $1}' etc. are telling it to grab the first position in the nginx log which happens to be the source IP for my particular logging configuration. so really the only think you would need to tailor/alter is the awk statements.

@fbartels greynoise just runs a big honeypot and sensor landscape that captures and catalogues internet scanning. whereas crowdsec is a community sourced reporting of both scanning and malicious actions. Greynoise I believe has a much larger dataset. Its primary purpose is to see if an IP is targeting just you or multiple entities.

@robi let me look into it. Need to see how I would interact with that list.

I wrote a script that can do the following.

1. Check NGINX access.log for 404 and 403 response codes
2. Extract IP's associated and see if they are scanners/noise with the community greynoise API.
3. If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
4. If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.

You can find it here. Feel free to use/cut/slice tailor to your liking

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh

I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.

You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.

Feel free to adapt as you see fit

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview

I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here

OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-Proxy

OpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTI

If you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below

- PROVIDERS__LDAP__STRATEGY=LdapStrategy
- PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636
- PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX
- PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}}
- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName
- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
- PROVIDERS__LOCAL__STRATEGY=LocalStrategy

NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.