@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.
@girish If I add IP's to /home/yellowtent/platformdata/firewall/blocklist.txt will the automatically be blocked or will I need to restart the box service?
@micmc Yes you could easily take this script and use it for apache. The only think you need to do is look at your apache logs and see what position the source IP is in. the parts in the script where it does awk '{print $1}' etc. are telling it to grab the first position in the nginx log which happens to be the source IP for my particular logging configuration. so really the only think you would need to tailor/alter is the awk statements.
@fbartels greynoise just runs a big honeypot and sensor landscape that captures and catalogues internet scanning. whereas crowdsec is a community sourced reporting of both scanning and malicious actions. Greynoise I believe has a much larger dataset. Its primary purpose is to see if an IP is targeting just you or multiple entities.
@robi let me look into it. Need to see how I would interact with that list.
I wrote a script that can do the following.
You can find it here. Feel free to use/cut/slice tailor to your liking
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh
I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.
You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.
Feel free to adapt as you see fit
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview
I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here
OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-Proxy
OpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTI
If you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below
- PROVIDERS__LDAP__STRATEGY=LdapStrategy
- PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636
- PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX
- PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}}
- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName
- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
- PROVIDERS__LOCAL__STRATEGY=LocalStrategy
NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.
In my cloudron dash it shows that i'm running the latest version of wordpress. Inside my wordpress dashboard though, it shows that i'm running 5.8.4. It prompts me to update it. Which is correct?
@girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.
@mehdi Yeah WordPress is targeted frequently for sure. I think there are ways to harden it relatively speaking but it is a risk. I do think its similar though to "not using windows" because windows is so ubiquitous that tons of malware devs write for windows systems. I will check out Ghost though. Thank you.
Does anyone have any recommendations on solid resources to get proficient at creating Wordpress sites? I know how to stumble my way through it, but I'd like to get better as i'm considering starting a small side business building, securing, and maintaining websites for some local businesses. Has anyone made this a viable business? If so any recommendations? I just want to do it for some local businesses I know of that are in sore need of some web facing information and would benefit from basic cybersecurity.
For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.
@BrutalBirdie I am working on it now and when I get done I will post it.
@jk yeah I saw that. I just wanted to put it formally in app wishlist
I successfully integrated my OpenCTI threat intel platform instance with my cloudron ldaps.
If anyone is doing a similar project, dm me if you need assistance.
I'm trying to set up some apps on an external server and have them be able to utilize my cloudrons ldap BUT also do 2fa. Keycloak would go a long way here. I couldn't find a app request for this but I think this would be a great addition to the fold.
Nevermind I fixed it by doing the following.
log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;
access_log /var/log/nginx/access.log main;
I have a NGINX reverse proxy in front of Cloudron due to the fact I have multiple VM's to proxy to and only one Public IP. Everything is working correctly. I am using NGINX proxy manager. I can visit all my Cloudron sites. My only problem is this.. In the NGINX logs on my Cloudron box, it shows the source IP of traffic as the internal IP address of my external NGINX Proxy manager. Nginx proxy manager should be configured for x-forwarded for headers but it seems like the NGINX on the cloudron box isn't using the x-forwarded for header as the source. Do you guys have any idea why or how to fix it?
@girish I ended up configuring a forward lookup zone and forward all requests to my other internal dns server and now it works great. I will try some troubleshooting this week.
@Mastadamus Then I restart Unbound and boom.. can resolve mailgun. This last time it seemed only mail gun was affected. Previous times I couldn't even resolve google
@Mastadamus It just randomly can't resolve mailgun
@Mastadamus Also note, i've seen nothing blocked outbound from my firewall for this host.
Note, my cloudron build is on ubuntu 20.04. This is a fresh install. I've SSH' on the box and curl'd google when I started having DNS troubles, and it wouldn't resolve. I restarted unbound(even though it was showing green) and It immediately started working. If i wait a period of time, something breaks again, and I start having resolver issues.
I think something is going wrong with my new cloudron build. First I ran into DNS issues with the install script and had to do --redo.. Now I've had the email outbound SMTP randomly turn red and give me a "getaddrinfo EAI_AGAIN smtp.mailgun.org:587" error. I also have things like Rocketchat gif plugins start failing to find gifs, and I also had a container update error.. All of this corrects itself when I restart unbound. I've checked the unbound logs though and I see no issues. Any ideas?
@girish yeah it seems to be working great now. Also kudos to your migration process. Restoring from backup was not 2 bad
@girish home network. Same home network as the previous cloudron which is still working
@nebulon I could resolve it.
I ran the install script again with --redo and it worked.
Ubuntu 20.04 LTS fresh build. I am trying to rebuild my cloudron on a new server which I will then restore from backup .
I keep getting to the spot where it downloads containers then I get the following error message:
for image in ${images}; do
docker pull "${image}"
docker pull "${image%@sha256:}" # this will tag the image for readability
done
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
"https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolutionfor image in ${images}; do
docker pull "${image}"
docker pull "${image%@sha256:}" # this will tag the image for readability
done
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
"https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
I can curl "https"//registry-1.docker.io/v2/ from the CLI after the script fails and it returns:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
So this makes me think name resolution is good?
Any help?
I would love to see nginxproxymanager bundled with cloudron.
This would allow us to use cloudron as a easily configured reverse proxy for other services or apps that may not reside on the cloudron server.
I.e cloudron has my public ip and then serves up cloudron apps and proxy pass any traffic destined for other apps on other servers in my internal network.
@girish I got home and ran systemctl restart box from SSH and it brought up all services and then the apps configured correctly.
@girish I'll need to whitelist your ip on my firewall can you dm me which ip to whitelist for ssh?
@girish unfortunately, I'm camping and do not have a laptop. I can't ssh at moment but I will when I return.
About all I can do at moment, is access my dashboard from my phone and my firewall from my app.
Is there a way to get cli via web console ?
My cloudron updated yesterday and ever since my apps are stuck in "configuring " queue state.
Graphite, mongodb, after, and redis are red.
I've tried rebooting twice. no luck.
Any suggestions?
@fbartels prob with crowdsec is that it can't intercept an attack. It acts after the fact, whereas a waf can filter.
@girish modsecurity waf can be used with open source version of nginx. You are right in that nginx plus is more robust but mod security with regular nginx still offers a decent degree of protection
Basic example
It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/
@rmdes I tried nginx bouncer BEFORE installing iptables bouncer and it crashed my nginx and wouldn't let me bring it up. I then reverted to previous image and installed iptables bouncer which works great.
@rmdes I installed iptables bouncer and its working great. The nginx bouncer messed up my nginx service though and caused it not to start. I was not able to get nginx bouncer working.
@mastadamus @girish do you know someone who might be able to help me figure out how to get the crowdsec metabase templates into the metabase app available to install from the cloudron store and connect them? IF we could make this happen, we would eliminate having to do this janky install of the crowdsec metabase docker container. Another possible alternative is to package up the crowdsec metabase image for cloudron? would that be possible?
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.
user www-data;
# detect based on available CPU cores
worker_processes auto;
# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192;
pid /run/nginx.pid;
events {
# a single worker has these many simultaneous connections max
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
# the collectd config depends on this log format
# required for long host names
server_names_hash_bucket_size 128;
access_log /var/log/nginx/access.log combined;
sendfile on;
# timeout for client to finish sending headers
client_header_timeout 30s;
# timeout for reading client request body (successive read timeout and not w hole body!)
client_body_timeout 60s;
# keep-alive connections timeout in 65s. this is because many browsers timeo ut in 60 seconds
keepalive_timeout 65s;
# zones for rate limiting
limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req uest a second
include applications/*.conf;
sudo apt install crowdsec-firewall-bouncer-iptables
sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec
sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>
docker ps
sudo docker update --restart=unless-stopped <container ID number >
https://docs.crowdsec.net/docs/getting_started/install_crowdsec
@rmdes I'll put one together later tonight.
@robi yeah I should have said "can't be easily containerized"
Security onion relies on a span port/mirror traffic getting to its analysis engines and is a pretty complicated beast. If cloudron can containerized the whole thing awesome but this is no small task lol.
@dark-shadow I run security onion on a separate machine. I don't think its applicable for cloudron. 1. it can't be containerized. its a stack of docker containers controlled by SALT. 2. It requires immense CPU/RAM/HD. For a small network you are looking at 4 cores min and at least 20gb ram. Additionally, You don't really want to put your security tools on the same subnet as your internet facing stuff.
@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.
crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25
@makemrproper my strategy now is to use iptables bouncer with nginx parser.
See my feature request for nginx log method though.. you have to revert cloudron nginx logs back to nginx default and not combined2 as they are normally or crowdsec parser won't work..
@makemrproper yeah I tried it twice and first time told it to keep original config and second time allowed modifications.. both times nginx refused to start and I couldn't figure out why.
@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.
Currently logging in NGINX is set to combined2. This requires tools that rely on log parsers to have new log parsers developed to work with Combined2 format. Currently Crowdsec and Wazuh/ossec have troubles with combined2 format due to parsing issues. By simply changing the nginx conf log format section to default as referenced in this thread https://forum.cloudron.io/topic/6077/nginx-logs-format?_=1639325942653, both Wazuh/ossec agents can properly parse nginx logs and provide protection against malicious actors. Likewise, crowdsec will function and be able to provide blocking actions based on malicious activity observed in the nginx logs. Without this change, new parsers would have to be written for Wazuh/ossec, and crowdsec.
@privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.
@privsec I'm already receiving exploit/scan attempts inbound. No successful exploits. I believe nothing in my cloudron stack uses it. I can't find any confirmation nextcloud does. If you find something i'd love it asap.
@mastadamus As a bonus by changing the NGINX logs back to default, my Wazuh agent is now able to parse them fully and i'm getting full monitoring capability from wazuh for the NGINX.. I've even had 2 active response actions taken to block IP's by wazuh since i've switched. I think cloudron team should leave these at default TBH.
@jdaviescoates Its heavily weaponized. Like if you have an app thats affected chances are its going to get popped if you leave it unmitigated. Broad array of actors are exploiting it.. from coin miners to more advanced threats. Grey noise is tracking the IP's associated with the threat campaigns and right now they are numerous.
@nebulon awesome. Thank yall for hopping on this. This was huge.