@girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?
Posts made by Mastadamus
-
RE: Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes
-
RE: VLAN : on Opnsense or switch or both?
@timconsidine if you want to route between the vlans and push them through the firewall you'll need to do a router on a stick configuration. That is where opnsense vlans will come into play. Unless u have a layer 3 switch.
-
RE: FreeTAKServer for ATAK - Mesh Geo Information System
I would absolutely love and use the hell out of this. heck i'd pay a bit for this.
-
RE: X-Forwarded-For Header
@girish Any update on support reverse proxy or adding this logging config as default?
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.
- Grabs all the IP's from emerging threats block list
- Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then
- Add both of these IP groups to that file and restart the service.
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@girish If I add IP's to /home/yellowtent/platformdata/firewall/blocklist.txt will the automatically be blocked or will I need to restart the box service?
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@micmc Yes you could easily take this script and use it for apache. The only think you need to do is look at your apache logs and see what position the source IP is in. the parts in the script where it does
awk '{print $1}'
etc. are telling it to grab the first position in the nginx log which happens to be the source IP for my particular logging configuration. so really the only think you would need to tailor/alter is the awk statements. -
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@fbartels greynoise just runs a big honeypot and sensor landscape that captures and catalogues internet scanning. whereas crowdsec is a community sourced reporting of both scanning and malicious actions. Greynoise I believe has a much larger dataset. Its primary purpose is to see if an IP is targeting just you or multiple entities.
-
RE: Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
@robi let me look into it. Need to see how I would interact with that list.
-
Script to check nginx access logs for 403, 404 and check IP's with greynoise API then send to cloudflare.
I wrote a script that can do the following.
- Check NGINX access.log for 404 and 403 response codes
- Extract IP's associated and see if they are scanners/noise with the community greynoise API.
- If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
- If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.
You can find it here. Feel free to use/cut/slice tailor to your liking
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh
-
Script to automatically update cloudflare ip blocklist
I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.
You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.
Feel free to adapt as you see fit
https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview
-
RE: Cloudron external ldaps with OpenCTI
I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here
OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-ProxyOpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTIIf you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below
- PROVIDERS__LDAP__STRATEGY=LdapStrategy - PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636 - PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}} - PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX - PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}} - PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}} - PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail - PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName - PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true - PROVIDERS__LOCAL__STRATEGY=LocalStrategy
-
RE: Wordpress developer site shows non updated
NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.
-
Wordpress developer site shows non updated
In my cloudron dash it shows that i'm running the latest version of wordpress. Inside my wordpress dashboard though, it shows that i'm running 5.8.4. It prompts me to update it. Which is correct?
-
RE: Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes
@girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.
-
RE: Training or instruction on creating Wordpress sites?
@mehdi Yeah WordPress is targeted frequently for sure. I think there are ways to harden it relatively speaking but it is a risk. I do think its similar though to "not using windows" because windows is so ubiquitous that tons of malware devs write for windows systems. I will check out Ghost though. Thank you.
-
Training or instruction on creating Wordpress sites?
Does anyone have any recommendations on solid resources to get proficient at creating Wordpress sites? I know how to stumble my way through it, but I'd like to get better as i'm considering starting a small side business building, securing, and maintaining websites for some local businesses. Has anyone made this a viable business? If so any recommendations? I just want to do it for some local businesses I know of that are in sore need of some web facing information and would benefit from basic cybersecurity.
-
Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes
For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.
-
RE: Cloudron external ldaps with OpenCTI
@BrutalBirdie I am working on it now and when I get done I will post it.
-
RE: Keycloak
@jk yeah I saw that. I just wanted to put it formally in app wishlist
-
Cloudron external ldaps with OpenCTI
I successfully integrated my OpenCTI threat intel platform instance with my cloudron ldaps.
If anyone is doing a similar project, dm me if you need assistance. -
Keycloak
I'm trying to set up some apps on an external server and have them be able to utilize my cloudrons ldap BUT also do 2fa. Keycloak would go a long way here. I couldn't find a app request for this but I think this would be a great addition to the fold.
-
RE: X-Forwarded-For Header
Nevermind I fixed it by doing the following.
- Added this configuration to the HTTP{} section of the nginx.conf file in /etc/nginx/nginx.conf
log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;access_log /var/log/nginx/access.log main;
-
X-Forwarded-For Header
I have a NGINX reverse proxy in front of Cloudron due to the fact I have multiple VM's to proxy to and only one Public IP. Everything is working correctly. I am using NGINX proxy manager. I can visit all my Cloudron sites. My only problem is this.. In the NGINX logs on my Cloudron box, it shows the source IP of traffic as the internal IP address of my external NGINX Proxy manager. Nginx proxy manager should be configured for x-forwarded for headers but it seems like the NGINX on the cloudron box isn't using the x-forwarded for header as the source. Do you guys have any idea why or how to fix it?
-
RE: I believe I'm having issues with DNS
@girish I ended up configuring a forward lookup zone and forward all requests to my other internal dns server and now it works great. I will try some troubleshooting this week.
-
RE: I believe I'm having issues with DNS
@Mastadamus Then I restart Unbound and boom.. can resolve mailgun. This last time it seemed only mail gun was affected. Previous times I couldn't even resolve google
-
RE: I believe I'm having issues with DNS
@Mastadamus It just randomly can't resolve mailgun
-
RE: I believe I'm having issues with DNS
@Mastadamus Also note, i've seen nothing blocked outbound from my firewall for this host.
-
RE: I believe I'm having issues with DNS
Note, my cloudron build is on ubuntu 20.04. This is a fresh install. I've SSH' on the box and curl'd google when I started having DNS troubles, and it wouldn't resolve. I restarted unbound(even though it was showing green) and It immediately started working. If i wait a period of time, something breaks again, and I start having resolver issues.
-
I believe I'm having issues with DNS
I think something is going wrong with my new cloudron build. First I ran into DNS issues with the install script and had to do --redo.. Now I've had the email outbound SMTP randomly turn red and give me a "getaddrinfo EAI_AGAIN smtp.mailgun.org:587" error. I also have things like Rocketchat gif plugins start failing to find gifs, and I also had a container update error.. All of this corrects itself when I restart unbound. I've checked the unbound logs though and I see no issues. Any ideas?
-
RE: Cloudron Install fails.
@girish yeah it seems to be working great now. Also kudos to your migration process. Restoring from backup was not 2 bad
-
RE: Cloudron Install fails.
@girish home network. Same home network as the previous cloudron which is still working
-
RE: Cloudron Install fails.
@nebulon I could resolve it.
I ran the install script again with --redo and it worked.
-
Cloudron Install fails.
Ubuntu 20.04 LTS fresh build. I am trying to rebuild my cloudron on a new server which I will then restore from backup .
I keep getting to the spot where it downloads containers then I get the following error message:
for image in ${images}; do
docker pull "${image}"
docker pull "${image%@sha256:}" # this will tag the image for readability
done
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
"https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolutionfor image in ${images}; do
docker pull "${image}"
docker pull "${image%@sha256:}" # this will tag the image for readability
done
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
"https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolutionI can curl "https"//registry-1.docker.io/v2/ from the CLI after the script fails and it returns:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
So this makes me think name resolution is good?
Any help?
-
Nginxproxymanager
I would love to see nginxproxymanager bundled with cloudron.
This would allow us to use cloudron as a easily configured reverse proxy for other services or apps that may not reside on the cloudron server.
I.e cloudron has my public ip and then serves up cloudron apps and proxy pass any traffic destined for other apps on other servers in my internal network.
-
RE: Apps won't come up after update.
@girish I got home and ran systemctl restart box from SSH and it brought up all services and then the apps configured correctly.
-
RE: Apps won't come up after update.
@girish I'll need to whitelist your ip on my firewall can you dm me which ip to whitelist for ssh?
-
RE: Apps won't come up after update.
@girish unfortunately, I'm camping and do not have a laptop. I can't ssh at moment but I will when I return.
About all I can do at moment, is access my dashboard from my phone and my firewall from my app.
Is there a way to get cli via web console ?
-
Apps won't come up after update.
My cloudron updated yesterday and ever since my apps are stuck in "configuring " queue state.
Graphite, mongodb, after, and redis are red.
I've tried rebooting twice. no luck.
Any suggestions?
-
RE: Incorporate a WAF built into cloudron
@fbartels prob with crowdsec is that it can't intercept an attack. It acts after the fact, whereas a waf can filter.
-
RE: Incorporate a WAF built into cloudron
@girish modsecurity waf can be used with open source version of nginx. You are right in that nginx plus is more robust but mod security with regular nginx still offers a decent degree of protection
Basic example -
Incorporate a WAF built into cloudron
It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/
-
RE: Crowdsec Install guide for cloudron purposes
@rmdes I tried nginx bouncer BEFORE installing iptables bouncer and it crashed my nginx and wouldn't let me bring it up. I then reverted to previous image and installed iptables bouncer which works great.
-
RE: Crowdsec Install guide for cloudron purposes
@rmdes I installed iptables bouncer and its working great. The nginx bouncer messed up my nginx service though and caused it not to start. I was not able to get nginx bouncer working.
-
RE: Crowdsec Install guide for cloudron purposes
@mastadamus @girish do you know someone who might be able to help me figure out how to get the crowdsec metabase templates into the metabase app available to install from the cloudron store and connect them? IF we could make this happen, we would eliminate having to do this janky install of the crowdsec metabase docker container. Another possible alternative is to package up the crowdsec metabase image for cloudron? would that be possible?
-
Crowdsec Install guide for cloudron purposes
Install crowdsec, IPtables bouncer, and log4j detection collection on cloudron and reconfigure cloudron nginx conf for default logging.
Install crowdsec
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec
(during the installation process Crowdsec install should install the appropriate "collections" which consists of parsers, and rules for the log sources on your cloudron.
Edit nginx.conf file to put in default logging.
- SSH into your cloudron
- using text editor of your choice open the nginx.conf file found at /etc/nginx/nginx.conf
- We want to changed the logging section to look like it does in this example nginx.conf file.
user www-data; # detect based on available CPU cores worker_processes auto; # this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf # usually twice the worker_connections (one for uptsream, one for downstream) # see also LimitNOFILE=16384 in systemd drop-in worker_rlimit_nofile 8192; pid /run/nginx.pid; events { # a single worker has these many simultaneous connections max worker_connections 4096; } http { include mime.types; default_type application/octet-stream; # the collectd config depends on this log format # required for long host names server_names_hash_bucket_size 128; access_log /var/log/nginx/access.log combined; sendfile on; # timeout for client to finish sending headers client_header_timeout 30s; # timeout for reading client request body (successive read timeout and not w hole body!) client_body_timeout 60s; # keep-alive connections timeout in 65s. this is because many browsers timeo ut in 60 seconds keepalive_timeout 65s; # zones for rate limiting limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 req uest a second include applications/*.conf;
Install bouncer
sudo apt install crowdsec-firewall-bouncer-iptables
Install Log4j Collection
sudo cscli hub update sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228 sudo systemctl reload crowdsec
Installation of crowdsec metabase docker dashboard
- to install the docker container on port 8181(may change this as desired. (Note this should be for internal network access only.) Do not open this up to the internet. It may be better to try to integrate this with the metabase app that comes with cloudron available in the appstore. I haven't dug into that yet though. )
sudo cscli dashboard setup -l 0.0.0.0 -p 8181 --password < insert password>
- To make persistent.
- Identify the crowdsec/metabase container ID number
docker ps
- persistant command
sudo docker update --restart=unless-stopped <container ID number >
Access metabase
- you can access metabase by navigating to "http://yourIP:8181
- your credentials will be crowdsec@crowdsec.net and whatever you set the password.
References:
https://docs.crowdsec.net/docs/getting_started/install_crowdsec
-
RE: Log4j and log4j2 library vulnerability
@rmdes I'll put one together later tonight.
-
RE: Security Onion for threat hunting, network security monitoring, and log management.
@robi yeah I should have said "can't be easily containerized"
Security onion relies on a span port/mirror traffic getting to its analysis engines and is a pretty complicated beast. If cloudron can containerized the whole thing awesome but this is no small task lol. -
RE: Security Onion for threat hunting, network security monitoring, and log management.
@dark-shadow I run security onion on a separate machine. I don't think its applicable for cloudron. 1. it can't be containerized. its a stack of docker containers controlled by SALT. 2. It requires immense CPU/RAM/HD. For a small network you are looking at 4 cores min and at least 20gb ram. Additionally, You don't really want to put your security tools on the same subnet as your internet facing stuff.
-
RE: Log4j and log4j2 library vulnerability
@mastadamus I'm happy to report that Crowdsec successfully responded to a log4j exploit scanner. If you set up your nginx log configuration per my post in support, and install the nginx collection as well as the log4j2 collection with an firewall iptable bouncer it will auto block any ip belonging to an attempt it parses out.
crowdsec crowdsecurity/apache_log4j2_cve-2021-44228 Ip 45.83.65.33 2021-12-17 07:55:25 2021-12-17 07:55:25
-
RE: Implement Crowdsec, a docker and sever level crowd sourced security guard
@makemrproper my strategy now is to use iptables bouncer with nginx parser.
See my feature request for nginx log method though.. you have to revert cloudron nginx logs back to nginx default and not combined2 as they are normally or crowdsec parser won't work..
-
RE: Implement Crowdsec, a docker and sever level crowd sourced security guard
@makemrproper yeah I tried it twice and first time told it to keep original config and second time allowed modifications.. both times nginx refused to start and I couldn't figure out why.
-
RE: Log4j and log4j2 library vulnerability
@girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.
-
Implement default NGINX logging
Currently logging in NGINX is set to combined2. This requires tools that rely on log parsers to have new log parsers developed to work with Combined2 format. Currently Crowdsec and Wazuh/ossec have troubles with combined2 format due to parsing issues. By simply changing the nginx conf log format section to default as referenced in this thread https://forum.cloudron.io/topic/6077/nginx-logs-format?_=1639325942653, both Wazuh/ossec agents can properly parse nginx logs and provide protection against malicious actors. Likewise, crowdsec will function and be able to provide blocking actions based on malicious activity observed in the nginx logs. Without this change, new parsers would have to be written for Wazuh/ossec, and crowdsec.
-
RE: Log4j and log4j2 library vulnerability
@privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.