RE: Cloudron external ldaps with OpenCTI

@BrutalBirdie I am working on it now and when I get done I will post it.

It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/

Just wanted to report that, I installed Wazuh/ossec agent on my cloudron server to grab logs and send to a security onion. I've been running it alongside the Cloudron now for a while. I've been getting alerts, logs sent back etc. Everything is going well. So if you want a HIDS on your Cloudron server, Wazuh works.

Any updates on jitsi meet?

Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.

---

Install crowdsec

sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec

(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.

Edit nginx.conf file to put in default logging.

• SSH into your cloudron
• using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
• We want to changed the logging section to look like it does in this example nginx.conf file.

user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format




    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not w                                                                             hole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeo                                                                             ut in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req                                                                             uest a second

    include applications/*.conf;

Install bouncer

sudo apt install crowdsec-firewall-bouncer-iptables

Install Log4j Collection

sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

Installation of crowdsec metabase docker dashboard

1. to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )

sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>

2. To make persistent.

• Identify the crowdsec/metabase container ID number

docker ps

• persistant command

sudo docker update --restart=unless-stopped <container ID number > 

Access metabase

1. you can access metabase by navigating to "http://yourIP:8181
2. your credentials will be crowdsec@crowdsec.net and whatever you set the password.

References:

https://docs.crowdsec.net/docs/getting_started/install_crowdsec

I'm not sure if you guys are tracking but unauthenticated RCE exploit just got dropped and is being exploited in the wild for log4j and log4j2 library.
This is used in a ton of products from apache struts to elasticsearch as the default logging framework.
Does cloudron use this and if so when can we get a patch?

I wrote a script that can do the following.

1. Check NGINX access.log for 404 and 403 response codes
2. Extract IP's associated and see if they are scanners/noise with the community greynoise API.
3. If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
4. If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.

You can find it here. Feel free to use/cut/slice tailor to your liking

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh

@rmdes https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes

I Love this app. I'm using my cloudron adguard instance as the backup DNS to my Adguard instance i have installed in docker on my router. That way all dns requests are filtered through my firewall allow/block rules list first prior to hitting the dns filters. This ensures my NGW block lists that operation at dns level can take effect. thanks for implementing this. Its working great.

@girish Over the next month, I'm going to go line by line through that CIS benchmark and implement it then check for functionality. Would you be interested in that report? My thoughts are if its compatible with Cloudron functions, it may be something worthwhile to implement as part of the install script prior to installing the actual Cloudron core components?

@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.

@privsec The other thing to consider is, when i installed the nginx bouncer, even though i left configs default, it crashed the nginx service and i couldn't restart it. Even after I uninstalled the bouncer, I couldn't get nginx back so i had reverted to a snapshot. The iptable bouncer works decent though. Will have to do further testing to figure out why installing the nginx bouncer crashes nginx for cloudron.

I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.

You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.

Feel free to adapt as you see fit

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview

Currently logging in NGINX is set to combined2. This requires tools that rely on log parsers to have new log parsers developed to work with Combined2 format. Currently Crowdsec and Wazuh/ossec have troubles with combined2 format due to parsing issues. By simply changing the nginx conf log format section to default as referenced in this thread https://forum.cloudron.io/topic/6077/nginx-logs-format?_=1639325942653, both Wazuh/ossec agents can properly parse nginx logs and provide protection against malicious actors. Likewise, crowdsec will function and be able to provide blocking actions based on malicious activity observed in the nginx logs. Without this change, new parsers would have to be written for Wazuh/ossec, and crowdsec.

@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.

crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25

Imagine this, My family, fed up with censorship from social media and privacy concerns, decides to "cut the cord" on social media. We just have no alternatives to easily set up for non tech(assume we are non techies). Enter cloudron box. A device a bit bigger then a roku premier + that is a mini fanless pc with a 4 core chip and 16gb ram. It comes preinstalled with cloudron and 2 "social media" chat apps installed. It also comes with a instructional card on how to download the "cloudron app" to register a domain name and sync it with your box. For a low monthly fee you can get additional access to the cloudron app store and routine updates.

IF yall could make setting up a home hosted cloudron server as easy as installing a roku, you guys could create a whole new segment of the market by targetting social media "cord cutters" who still want to network with friends and family easily and own their own data. just saying.

@girish I got home and ran systemctl restart box from SSH and it brought up all services and then the apps configured correctly.

Do ya'll use any checklists to harden your servers like CIS? I have the CIS ubuntu linux hardening checklist and i'm wondering if any of ya'll have run it and if so is there anything in there thats not obvious which will break our cloudron server functionality?

@mehdi Yeah WordPress is targeted frequently for sure. I think there are ways to harden it relatively speaking but it is a risk. I do think its similar though to "not using windows" because windows is so ubiquitous that tons of malware devs write for windows systems. I will check out Ghost though. Thank you.

I recently ran some vulnerability tests via qualys against my cloudron setup and im showing a vulnerability with the 993 using tls 1.0. I thought 1.0 was disabled by cloudron? Is this a false alarm? IF not, is there an easy way to force tls 1.2 only?

@mastadamus The IP TABLE bouncer seems to be working fine. Also I installed the metabase Docker container running on 8181 with success.

I've tried element/matrix and now rocket.chat. I find rocket.chat to be lightyears easier on administration/moderation then matrix. Admin rocket.chat is borderline enjoyable. Admin matrix was not. Additionally, the users i've talked to about ease of use (caveat only about 10) all preferred rocket hands down to element. Lastly, Rocket has the dankest GIFS.

@d19dotca I used the qualys vulnerability scanner community edition. You need to create an qualys account and use the actual vulnerability scanner. Also if you are running a firewall, you may have to unblock the qualys IP if it auto blocks it when it attempts various "scans' like checking for heartbleed etc. you can sign up for here https://www.qualys.com/community-edition/

@teamcrw I realized crowdsec isn't succesfully parsing the NGINX logs generated by cloudron because Cloudron uses a non standard /non default log format for NGINX. Working on that now.

@thetomester13 Yes. I think some people might prefer they own their own hardware but at the end of the day, as long as its very clear that they own all the data, its not being snooped on and very importantly the setup is easy, I think it would fit the bill. I'm running my own cloudron server hosted at home. I Run ad blocker as a docker in my router. If their was a service that could give my other non tech skilled family members the ability to do what I do without all the config hassle it would sell. Lots of families would jump on adblocker for instance if it was a part of a "one click" install family of apps.

I'm looking at the NGINX log format and I see that its a format called "combined2" and it appears to be slightly different the the default "combined" format. Is there a reason for this? I'm trying to get my crowdsec install to parse these logs but it seems to not parse them(prob due to the fact they appear to be of a custom format" Can i change this to default?

@mastadamus I've since got the logs to be parsed by taking out the custom "combined2" log format for nginx.conf. If this is to be shipped with cloudron it would either require to have custom parsers written OR the nginx.conf for cloudron would need to use default combined log format.

I am using an iptable bouncer and i'm not sure if it will perform block actions on the iptables based of something triggerd by nginx. I will dig further into that. That being said, it is fullfulling the role fail2ban would normally play and is working appropriately.

I downloaded a Fleet Osquery agent from my Security Onion manager then SFTP it over to my cloudron server. I then attempted to install it using apt install. It said it was incorrect file type. I used gdebi and it installed. I now can remote query my cloudron server and it shows up in my Kolide Fleet. Logs are now retrieved and it does a group of queries on a schedule.

@girish Is it possible to just use the basic default log format? I'm attempting to integrate crowdsec with cloudron NGINX..but the parser for crowdsec is looking for default NGINX log format. I'd have to write a new parser which admittedly I'm prob not able to do technically at this time. I gotta get stronger with the crowdsec parser format and grok.

@girish modsecurity waf can be used with open source version of nginx. You are right in that nginx plus is more robust but mod security with regular nginx still offers a decent degree of protection
Basic example

@brutalbirdie said in How to Take Cloudron Even Further:

There is more which I could mention, but these are just some thoughts of mine.
Check out this topic where peo

I think Cloudron is perfect entry point for a soft landing into self hosting. I'm a fulltime student, father, husband etc. and It would be very hard for me to be able to learn, implement, secure, manage all the services I'm using through Cloudron right now in my spare time. If it was my dedicated job? Sure I'd get it done, but I needed something that I could get working quickly, securely, and stable. Cloudron is pretty good in that regard. It lets me get something working, quickly then if I want to go further I can. For example- Adguard Home. I installed that in Cloudron. I liked it but I wanted to see if I could put it on my router with docker. I did that. In the meantime I had a working Adguard Home app running through Cloudron to test and eval.

@robi

user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format




    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not whole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second

    include applications/*.conf;
}

Id be very interested in this. This could integrate nicely with the chat options we already have like rocketchat and Element.

How difficult would it be to add the Modsecurity WAF for NGINX to the standard Cloudron NGINX build? And implementing the OWASP CRS ruleset? This would give the NGINX reverse Proxy some pretty capable WAF capabilities out of the box as well

https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-installation-logging/

https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/

@mastadamus As a bonus by changing the NGINX logs back to default, my Wazuh agent is now able to parse them fully and i'm getting full monitoring capability from wazuh for the NGINX.. I've even had 2 active response actions taken to block IP's by wazuh since i've switched. I think cloudron team should leave these at default TBH.

I'm trying to set up some apps on an external server and have them be able to utilize my cloudrons ldap BUT also do 2fa. Keycloak would go a long way here. I couldn't find a app request for this but I think this would be a great addition to the fold.

@mastadamus @girish do you know someone who might be able to help me figure out how to get the crowdsec metabase templates into the metabase app available to install from the cloudron store and connect them? IF we could make this happen, we would eliminate having to do this janky install of the crowdsec metabase docker container. Another possible alternative is to package up the crowdsec metabase image for cloudron? would that be possible?

@jk yeah I saw that. I just wanted to put it formally in app wishlist

@robi let me look into it. Need to see how I would interact with that list.

@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.

1. Grabs all the IP's from emerging threats block list
2. Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then
3. Add both of these IP groups to that file and restart the service.

NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.

@jlx89 this would be incredible!

I may need to test out Dolibarr for possible use by an organization i'm volunteering with. Any idea when we can expect a stable build? just wondering. Thank you.

I've tried sendgrid and mailgun. 1. They were both similiar in ease to configure. 2. Mailgun seems like a better deal for those not using a massive amount of emails a month.

@dark-shadow I run security onion on a separate machine. I don't think its applicable for cloudron. 1. it can't be containerized. its a stack of docker containers controlled by SALT. 2. It requires immense CPU/RAM/HD. For a small network you are looking at 4 cores min and at least 20gb ram. Additionally, You don't really want to put your security tools on the same subnet as your internet facing stuff.

@girish sir

BTW, I apologize for not using your dedicated vulnerability reporting method.

1. I just read up on it
2. I really thought it was due to a settings misconfiguration part on my end and a false alarm as well. I was initially just looking for Guidance on fixing what I set up wrong. In the future if it's vulnerability concerned, I'll use your reporting mechanisms.

@mastadamus IF you want it to grab cloudron specific logs, you gotta edit the ossec.conf file to give it a location of the logs as well.

@robi yeah I should have said "can't be easily containerized"
Security onion relies on a span port/mirror traffic getting to its analysis engines and is a pretty complicated beast. If cloudron can containerized the whole thing awesome but this is no small task lol.

@nebulon awesome. Thank yall for hopping on this. This was huge.

@privsec Have you installed this with your cloudron?

@girish yep and then you got to point it out your wazuh server using the ossec.conf file

@jdaviescoates Its heavily weaponized. Like if you have an app thats affected chances are its going to get popped if you leave it unmitigated. Broad array of actors are exploiting it.. from coin miners to more advanced threats. Grey noise is tracking the IP's associated with the threat campaigns and right now they are numerous.

@privsec huge fan of this idea.

@scooke the selling point would be data ownership, privacy, connectivity etc. I know a lot of family members who would absolutely love to share and use the environment that cloudron offers. With the productivity apps, the media apps, the communication platforms etc. Yet they lack the tech skills to build a server and self host or host at a VPS. A pre setup ready to go box that requires minimal setup on user part like registering a domain and maybe forwarding a port or two would be golden. I do agree though that the software isn't there yet and neither is the security. My home hosted cloudron actually gets 'attacked' multiple times daily. Those security features would have to be squared away big time to make it wide consumer product.

@privsec I'm already receiving exploit/scan attempts inbound. No successful exploits. I believe nothing in my cloudron stack uses it. I can't find any confirmation nextcloud does. If you find something i'd love it asap.

@teamcrw are you installing an nginx bouncer with it?

@rmdes I tried nginx bouncer BEFORE installing iptables bouncer and it crashed my nginx and wouldn't let me bring it up. I then reverted to previous image and installed iptables bouncer which works great.

@privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.

@mastadamus I'd like to give an update. I installed the NGINX bouncer and it took down cloudron's NGINX service. During the install it prompted me if i wanted to change several config files or leave the current file in place and I left my current config file in place yet it still crashed and refused to come back up. More investigation is necessary to make this work.

I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here

OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-Proxy

OpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTI

If you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below

- PROVIDERS__LDAP__STRATEGY=LdapStrategy
- PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636
- PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX
- PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}}
- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName
- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
- PROVIDERS__LOCAL__STRATEGY=LocalStrategy