@BrutalBirdie I am working on it now and when I get done I will post it.
Best posts made by Mastadamus
-
RE: Cloudron external ldaps with OpenCTI
-
Incorporate a WAF built into cloudron
It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/
-
Cloudron works great with Wazuh/Ossec agent
Just wanted to report that, I installed Wazuh/ossec agent on my cloudron server to grab logs and send to a security onion. I've been running it alongside the Cloudron now for a while. I've been getting alerts, logs sent back etc. Everything is going well. So if you want a HIDS on your Cloudron server, Wazuh works.
-
Crowdsec Install guide for cloudron purposes
Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.
Install crowdsec
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec
(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.
Edit nginx.conf file to put in default logging.
- SSH into your cloudron
- using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
- We want to changed the logging section to look like it does in this example nginx.conf file.
user www-data; # detect based on available CPU cores worker_processes auto; # this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf # usually twice the worker_connections (one for uptsream, one for downstream) # see also LimitNOFILE=16384 in systemd drop-in worker_rlimit_nofile 8192; pid /run/nginx.pid; events { # a single worker has these many simultaneous connections max worker_connections 4096; } http { include mime.types; default_type application/octet-stream; # the collectd config depends on this log format # required for long host names server_names_hash_bucket_size 128; access_log /var/log/nginx/access.log combined; sendfile on; # timeout for client to finish sending headers client_header_timeout 30s; # timeout for reading client request body (successive read timeout and not w hole body!) client_body_timeout 60s; # keep-alive connections timeout in 65s. this is because many browsers timeo ut in 60 seconds keepalive_timeout 65s; # zones for rate limiting limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req uest a second include applications/*.conf;
Install bouncer
sudo apt install crowdsec-firewall-bouncer-iptables
Install Log4j Collection
sudo cscli hub update sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228 sudo systemctl reload crowdsec
Installation of crowdsec metabase docker dashboard
- to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )
sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>
- To make persistent.
- Identify the crowdsec/metabase container ID number
docker ps
- persistant command
sudo docker update --restart=unless-stopped <container ID number >
Access metabase
- you can access metabase by navigating to "http://yourIP:8181
- your credentials will be crowdsec@crowdsec.net and whatever you set the password.
References:
https://docs.crowdsec.net/docs/getting_started/install_crowdsec
-
Log4j and log4j2 library vulnerability
I'm not sure if you guys are tracking but unauthenticated RCE exploit just got dropped and is being exploited in the wild for log4j and log4j2 library.
This is used in a ton of products from apache struts to elasticsearch as the default logging framework.
Does cloudron use this and if so when can we get a patch? -
Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
I wrote a script that can do the following.
- Check NGINX access.log for 404 and 403 response codes
- Extract IP's associated and see if they are scanners/noise with the community greynoise API.
- If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
- If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.
You can find it here. Feel free to use/cut/slice tailor to your liking
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh
-
Love this app
I Love this app. I'm using my cloudron adguard instance as the backup DNS to my Adguard instance i have installed in docker on my router. That way all dns requests are filtered through my firewall allow/block rules list first prior to hitting the dns filters. This ensures my NGW block lists that operation at dns level can take effect. thanks for implementing this. Its working great.
-
RE: hardening Ubuntu 20.04 cloudron server
@girish Over the next month, I'm going to go line by line through that CIS benchmark and implement it then check for functionality. Would you be interested in that report? My thoughts are if its compatible with Cloudron functions, it may be something worthwhile to implement as part of the install script prior to installing the actual Cloudron core components?
Latest posts made by Mastadamus
-
RE: Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes
@girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?
-
RE: VLAN : on Opnsense or switch or both?
@timconsidine if you want to route between the vlans and push them through the firewall you'll need to do a router on a stick configuration. That is where opnsense vlans will come into play. Unless u have a layer 3 switch.
-
RE: FreeTAKServer for ATAK - Mesh Geo Information System
I would absolutely love and use the hell out of this. heck i'd pay a bit for this.
-
RE: X-Forwarded-For Header
@girish Any update on support reverse proxy or adding this logging config as default?
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.
- Grabs all the IP's from emerging threats block list
- Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then
- Add both of these IP groups to that file and restart the service.
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@girish If I add IP's to /home/yellowtent/platformdata/firewall/blocklist.txt will the automatically be blocked or will I need to restart the box service?
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@micmc Yes you could easily take this script and use it for apache. The only think you need to do is look at your apache logs and see what position the source IP is in. the parts in the script where it does
awk '{print $1}'
etc. are telling it to grab the first position in the nginx log which happens to be the source IP for my particular logging configuration. so really the only think you would need to tailor/alter is the awk statements. -
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@fbartels greynoise just runs a big honeypot and sensor landscape that captures and catalogues internet scanning. whereas crowdsec is a community sourced reporting of both scanning and malicious actions. Greynoise I believe has a much larger dataset. Its primary purpose is to see if an IP is targeting just you or multiple entities.
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@robi let me look into it. Need to see how I would interact with that list.
-
Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
I wrote a script that can do the following.
- Check NGINX access.log for 404 and 403 response codes
- Extract IP's associated and see if they are scanners/noise with the community greynoise API.
- If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
- If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.
You can find it here. Feel free to use/cut/slice tailor to your liking
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh