RE: Cloudron external ldaps with OpenCTI

@BrutalBirdie I am working on it now and when I get done I will post it.

It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/

Just wanted to report that, I installed Wazuh/ossec agent on my cloudron server to grab logs and send to a security onion. I've been running it alongside the Cloudron now for a while. I've been getting alerts, logs sent back etc. Everything is going well. So if you want a HIDS on your Cloudron server, Wazuh works.

Any updates on jitsi meet?

Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.

---

Install crowdsec

sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec

(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.

Edit nginx.conf file to put in default logging.

• SSH into your cloudron
• using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
• We want to changed the logging section to look like it does in this example nginx.conf file.

user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format




    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not w                                                                             hole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeo                                                                             ut in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req                                                                             uest a second

    include applications/*.conf;

Install bouncer

sudo apt install crowdsec-firewall-bouncer-iptables

Install Log4j Collection

sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

Installation of crowdsec metabase docker dashboard

1. to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )

sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>

2. To make persistent.

• Identify the crowdsec/metabase container ID number

docker ps

• persistant command

sudo docker update --restart=unless-stopped <container ID number > 

Access metabase

1. you can access metabase by navigating to "http://yourIP:8181
2. your credentials will be crowdsec@crowdsec.net and whatever you set the password.

References:

https://docs.crowdsec.net/docs/getting_started/install_crowdsec

I'm not sure if you guys are tracking but unauthenticated RCE exploit just got dropped and is being exploited in the wild for log4j and log4j2 library.
This is used in a ton of products from apache struts to elasticsearch as the default logging framework.
Does cloudron use this and if so when can we get a patch?

@rmdes https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes

I Love this app. I'm using my cloudron adguard instance as the backup DNS to my Adguard instance i have installed in docker on my router. That way all dns requests are filtered through my firewall allow/block rules list first prior to hitting the dns filters. This ensures my NGW block lists that operation at dns level can take effect. thanks for implementing this. Its working great.

@girish Over the next month, I'm going to go line by line through that CIS benchmark and implement it then check for functionality. Would you be interested in that report? My thoughts are if its compatible with Cloudron functions, it may be something worthwhile to implement as part of the install script prior to installing the actual Cloudron core components?

@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.

NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.

In my cloudron dash it shows that i'm running the latest version of wordpress. Inside my wordpress dashboard though, it shows that i'm running 5.8.4. It prompts me to update it. Which is correct?

@girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

what about cloudflare tunnels?

@mehdi Yeah WordPress is targeted frequently for sure. I think there are ways to harden it relatively speaking but it is a risk. I do think its similar though to "not using windows" because windows is so ubiquitous that tons of malware devs write for windows systems. I will check out Ghost though. Thank you.

Does anyone have any recommendations on solid resources to get proficient at creating Wordpress sites? I know how to stumble my way through it, but I'd like to get better as i'm considering starting a small side business building, securing, and maintaining websites for some local businesses. Has anyone made this a viable business? If so any recommendations? I just want to do it for some local businesses I know of that are in sore need of some web facing information and would benefit from basic cybersecurity.

For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

@BrutalBirdie I am working on it now and when I get done I will post it.

@jk yeah I saw that. I just wanted to put it formally in app wishlist

I successfully integrated my OpenCTI threat intel platform instance with my cloudron ldaps.
If anyone is doing a similar project, dm me if you need assistance.