Cloudron external ldaps with OpenCTI

@BrutalBirdie I am working on it now and when I get done I will post it.

It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/

Just wanted to report that, I installed Wazuh/ossec agent on my cloudron server to grab logs and send to a security onion. I've been running it alongside the Cloudron now for a while. I've been getting alerts, logs sent back etc. Everything is going well. So if you want a HIDS on your Cloudron server, Wazuh works.

Any updates on jitsi meet?

Warning

Please install at your own risk. Cloudron does not support installing extra applications and packages on the server.

Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.

---

Install crowdsec

sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec

(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.

Edit nginx.conf file to put in default logging.

• SSH into your cloudron
• using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
• We want to changed the logging section to look like it does in this example nginx.conf file.

user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format




    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not w                                                                             hole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeo                                                                             ut in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req                                                                             uest a second

    include applications/*.conf;

Install bouncer

sudo apt install crowdsec-firewall-bouncer-iptables

Install Log4j Collection

sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

Installation of crowdsec metabase docker dashboard

1. to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )

sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>

2. To make persistent.

• Identify the crowdsec/metabase container ID number

docker ps

• persistant command

sudo docker update --restart=unless-stopped <container ID number > 

Access metabase

1. you can access metabase by navigating to "http://yourIP:8181
2. your credentials will be crowdsec@crowdsec.net and whatever you set the password.

References:

https://docs.crowdsec.net/docs/getting_started/install_crowdsec

I'm trying to set up some apps on an external server and have them be able to utilize my cloudrons ldap BUT also do 2fa. Keycloak would go a long way here. I couldn't find a app request for this but I think this would be a great addition to the fold.

I wrote a script that can do the following.

1. Check NGINX access.log for 404 and 403 response codes
2. Extract IP's associated and see if they are scanners/noise with the community greynoise API.
3. If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
4. If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.

You can find it here. Feel free to use/cut/slice tailor to your liking

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh

I'm not sure if you guys are tracking but unauthenticated RCE exploit just got dropped and is being exploited in the wild for log4j and log4j2 library.
This is used in a ton of products from apache struts to elasticsearch as the default logging framework.
Does cloudron use this and if so when can we get a patch?

@rmdes https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes

I Love this app. I'm using my cloudron adguard instance as the backup DNS to my Adguard instance i have installed in docker on my router. That way all dns requests are filtered through my firewall allow/block rules list first prior to hitting the dns filters. This ensures my NGW block lists that operation at dns level can take effect. thanks for implementing this. Its working great.

@girish Over the next month, I'm going to go line by line through that CIS benchmark and implement it then check for functionality. Would you be interested in that report? My thoughts are if its compatible with Cloudron functions, it may be something worthwhile to implement as part of the install script prior to installing the actual Cloudron core components?

@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.

@privsec The other thing to consider is, when i installed the nginx bouncer, even though i left configs default, it crashed the nginx service and i couldn't restart it. Even after I uninstalled the bouncer, I couldn't get nginx back so i had reverted to a snapshot. The iptable bouncer works decent though. Will have to do further testing to figure out why installing the nginx bouncer crashes nginx for cloudron.

I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.

You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.

Feel free to adapt as you see fit

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview

Currently logging in NGINX is set to combined2. This requires tools that rely on log parsers to have new log parsers developed to work with Combined2 format. Currently Crowdsec and Wazuh/ossec have troubles with combined2 format due to parsing issues. By simply changing the nginx conf log format section to default as referenced in this thread https://forum.cloudron.io/topic/6077/nginx-logs-format?_=1639325942653, both Wazuh/ossec agents can properly parse nginx logs and provide protection against malicious actors. Likewise, crowdsec will function and be able to provide blocking actions based on malicious activity observed in the nginx logs. Without this change, new parsers would have to be written for Wazuh/ossec, and crowdsec.

Id be very interested in this. This could integrate nicely with the chat options we already have like rocketchat and Element.

Imagine this, My family, fed up with censorship from social media and privacy concerns, decides to "cut the cord" on social media. We just have no alternatives to easily set up for non tech(assume we are non techies). Enter cloudron box. A device a bit bigger then a roku premier + that is a mini fanless pc with a 4 core chip and 16gb ram. It comes preinstalled with cloudron and 2 "social media" chat apps installed. It also comes with a instructional card on how to download the "cloudron app" to register a domain name and sync it with your box. For a low monthly fee you can get additional access to the cloudron app store and routine updates.

IF yall could make setting up a home hosted cloudron server as easy as installing a roku, you guys could create a whole new segment of the market by targetting social media "cord cutters" who still want to network with friends and family easily and own their own data. just saying.

@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.

crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25

@jk yeah I saw that. I just wanted to put it formally in app wishlist

Do ya'll use any checklists to harden your servers like CIS? I have the CIS ubuntu linux hardening checklist and i'm wondering if any of ya'll have run it and if so is there anything in there thats not obvious which will break our cloudron server functionality?