Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

@girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

@timconsidine if you want to route between the vlans and push them through the firewall you'll need to do a router on a stick configuration. That is where opnsense vlans will come into play. Unless u have a layer 3 switch.

I would absolutely love and use the hell out of this. heck i'd pay a bit for this.

@girish Any update on support reverse proxy or adding this logging config as default?

@girish Gotcha but as long as I don't do that, I should be gtg. Im just thinking of a script that does 3 things.

1. Grabs all the IP's from emerging threats block list
2. Grabs all the 403/404's from access logs sends them to greynoise to check if they are known "noise" and then
3. Add both of these IP groups to that file and restart the service.

@girish If I add IP's to /home/yellowtent/platformdata/firewall/blocklist.txt will the automatically be blocked or will I need to restart the box service?

@micmc Yes you could easily take this script and use it for apache. The only think you need to do is look at your apache logs and see what position the source IP is in. the parts in the script where it does awk '{print $1}' etc. are telling it to grab the first position in the nginx log which happens to be the source IP for my particular logging configuration. so really the only think you would need to tailor/alter is the awk statements.

@fbartels greynoise just runs a big honeypot and sensor landscape that captures and catalogues internet scanning. whereas crowdsec is a community sourced reporting of both scanning and malicious actions. Greynoise I believe has a much larger dataset. Its primary purpose is to see if an IP is targeting just you or multiple entities.

@robi let me look into it. Need to see how I would interact with that list.

I wrote a script that can do the following.

1. Check NGINX access.log for 404 and 403 response codes
2. Extract IP's associated and see if they are scanners/noise with the community greynoise API.
3. If they are noise, you can pass a -c flag and send them to a cloudflare IP block list to decrease "noise"
4. If they aren't classified as noise, it can then search the access logs for all activity by these IPs. It will then give a unique count of each URL attempted to be accessed and the response code so that you can perform long tail analysis.

You can find it here. Feel free to use/cut/slice tailor to your liking

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/GrabIPandCheck.sh

I wrote a script to update an ip blocklist in cloudflare. Even free cloudflare can have 1 free ip list. My script pulls down the emerging threats ip list, grep out the ip and then posts each one via the cloudflare iplist api.

You can adapt this script to retrieve ips from your fail2ban jail and then send them to cloudflare for block.

Feel free to adapt as you see fit

https://dev.azure.com/Mastadamus/_git/Cloudflare WAF Scripts?path=/README.md&_a=preview

I haven't had a chance to finish the overall guide for the cloudron specific part but I completed a guide for installing OpenCTI with Traefik, Elasticsearch, and lots of plugins. I also have a complete docker-compose for OpenCTI, Elasticsearch cluster with X-Pack security, and multiple plugins as well as LDAP integration. you can find it here

OpenCTI install guide
https://dev.azure.com/Mastadamus/OpenCTI/_wiki/wikis/OpenCTI.wiki/3/OpenCTI-with-Traefik-Reverse-Proxy

OpenCTI GIT that contains my templates
https://dev.azure.com/Mastadamus/_git/OpenCTI

If you just want to skip to how you integrate LDAP with OpenCTI docker-compose I will paste examples below

- PROVIDERS__LDAP__STRATEGY=LdapStrategy
- PROVIDERS__LDAP__CONFIG__URL=ldaps://Your.Domain.Name:636
- PROVIDERS__LDAP__CONFIG__BIND_DN={{`cn=admin,ou=system,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX
- PROVIDERS__LDAP__CONFIG__SEARCH_BASE={{`ou=users,dc=YourLDAPserverName`}}
- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(cn={{username}})`}}
- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName
- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
- PROVIDERS__LOCAL__STRATEGY=LocalStrategy

NVM I found a thread that answer this. Based on my current understanding, the cloudron dashboard shows cloudron package updates. For wordpress core in developer edition we have to control that update.

In my cloudron dash it shows that i'm running the latest version of wordpress. Inside my wordpress dashboard though, it shows that i'm running 5.8.4. It prompts me to update it. Which is correct?

@girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

what about cloudflare tunnels?

@mehdi Yeah WordPress is targeted frequently for sure. I think there are ways to harden it relatively speaking but it is a risk. I do think its similar though to "not using windows" because windows is so ubiquitous that tons of malware devs write for windows systems. I will check out Ghost though. Thank you.

Does anyone have any recommendations on solid resources to get proficient at creating Wordpress sites? I know how to stumble my way through it, but I'd like to get better as i'm considering starting a small side business building, securing, and maintaining websites for some local businesses. Has anyone made this a viable business? If so any recommendations? I just want to do it for some local businesses I know of that are in sore need of some web facing information and would benefit from basic cybersecurity.

For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

@BrutalBirdie I am working on it now and when I get done I will post it.