[security] backdoor in upstream xz/liblzma

I think I saw on the ubuntu forum that the 22.04 version had 5.4.x. So we can quietly breathe a sigh of relief. And in the future version 24.04 it already had a faulty version and then they started to fix it as it became known about this problem.

EDIT: https://ubuntu.com/security/CVE-2024-3094

Forum: https://askubuntu.com/questions/1509015/is-ubuntu-affected-by-the-xz-backdoor-compromise

@mmtrade

Yahoo rejects your emails due to fresh domain registration.
Some popular email blockers from 1 to 6 months depending on the domain tld. A good solution to this problem is to send from yahoo email, icloud, gmail etc to your own email.
Send a normal long text message once a day and you can't send in bulk to start with from your mail because then they will permamently block your IP address.
At my place with a .cloud domain, I had a problem receiving iCloud emails for six months.

On top of that, Contabo IP addresses are popular among e-mail providers as spam servers.

A cool solution in terms of security even on providers without an external firewall is "Match user" with "List Address" in the SSH configuration. You could use with a VPN and not have to worry about attacks.

In my spare time on a test server I played around with it, but until today I could not enable it. With the various configurations given on the internet it throws an error about an error every time.

You have to update to version 24.04 yourself.

https://docs.cloudron.io/guides/upgrade-ubuntu-24/

I personally made a second server with Ubuntu 24.04 and did a Cloudron restore using a backup.

While testing CDN in Bunny, I confirm the problem. You need to add a cofiguration to the nginx/apache config file in this case, so that the CDN does not take the "ghost" folder.

I no longer remember if there is an option in the new version of the Bunny panel, where you can select what folders it should not take.

The final solution as I wrote above add the config.
https://www.keycdn.com/support/ghost-cdn-integration

I see you've found a solution, but you don't just add here, you need to change in other places too. I will add all the possible settings of what you need to set, so that other people know how to set it. Sorry that it took a long time. But my private life has been pounding me

I see you've added another post about it

If you want good security then set up as below. This is the way I use on all servers and where possible on the provider's external firewall I restrict the port on the VPN IP.

PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes

prohibit-password - This they started using from version 22.04 as a new security method.

KbdInteractiveAuthentication is the newer line that replaces "ChallengeResponseAuthentication"

Changing port 22 to 202 doesn't make the attack more secure, hackers have started scanning all ports that send back a header that SSH is running on that port.

You have to uncomment the line to make it work.

I am reporting a problem with version 7.5.0:

• No exact number of web token
  

• Having a background, the expanded list is hidden
  

In Ubuntu 24.04 the restart does not work with "systemctl restart sshd", but only with "systemctl restart ssh.service".

Welcome,
I am in the process of looking for a solution to restrict the SSH port outside the firewall, as it is known to be dynamically changed by Cloudron.

After removing the support for TCP Wrappers, I searched for various solutions on how to restrict access through configurations in ‘sshd_config’. The result? Not satisfactory. Completely nothing worked.

While browsing around here and I found a post that you can edit the ‘/home/yellowtent/platformdata/firewall/ports.json’ file and then this will add to the dynamic firewall system.

I was pleased to see that this is a possibility, but a question. Can I add with a public IP address?

Why am I doing this? I want to migrate a server to my country that don't have a firewall system, like at Hetzner, where on all servers I restrict port 22 to a VPN address for security.

I just got access to the test already. I currently have it connected to Nextcloud as an external drive. So far it looks promising Very fast processing ie uploading large files from the server to disk storage and downloading.

The speed is affected as you wrote disk, and may even be poor quality network hardware hosting. I, too, experience poor quality Contabo network at my place. I had better performance on Hetzner Cloud and plan to return.

Basic question:

• Which server parameters and which provider?
• Which provider of object storage?
• How much memory and processor limit allocated?

@humptydumpty

Still I forgot to add that a few hosting e.g. OVH, that has the username ubuntu instead of root. This yet they added the parameter ‘PasswordAuthenication’ in another place, this causes a conflict with the automation with the Cloudron panel for easy key management and security.

@girish Yes these are the certificates issued yesterday, because I put the server back up last night to move the applications from the old server. It was fine with the certificate until this morning. At work, the certificate started failing. I did a certificate refresh several times, cleared the browser and tests on several office devices and the error continues to appear.

EDIT: Now I reinstalled Cloudron but with manual settings for the domain with a Polish provider and it works fine so far. The certificate generates and displays without error. We will see in a few hours.

For the past two days I've also been having trouble connecting to the forum. It happens when I am connected to LTE (T-Mobile PL).

Being at home having fiber optic, it works without a problem or at work with phone line internet without a problem.

It looks more like a global connection problem with some carriers because the forum is located USA and I live in Europe.

@humptydumpty
Not only on home servers, also OVH and Vultr. Additional files will definitely be with local providers.

In this file "50-cloud-init.conf" as it actually is, I simply delete the line

@girish
I seem to have found the cause. It is probably related to the API of the domain providers. I did a test with 3 providers.

Hetzner DNS - no problem
GoDaddy - problem
Manual (domeny.tv) - no problem

EDIT: Sorry for the edit. One more test I did I used the domain that is in GoDaddy, having my.yyy.xxx-xxx.tld for manual settings. An error appears with the certificate! I have a feeling it's a problem with GoDaddy DNS or by the "-" in the domain.

The documentation says that it must be the same version of Cloudron i.e. 7.4.3

It doesn't matter what the Ubuntu version is, the Cloudron version is important.

Hi,

I'm writing another topic a little related to the certificate, and I do not know if other people have a similar problem.

For the past month I have noticed that on a Windows computer, I happen to have 11.
Having the certificate from Let's Encrypt and enabled protection built into Chrome when logging into the manager via web, it doesn't want to load the database at all. Testing on a laptop where I have Linux Mint - it works without a problem.

Going back to Windows 11, for the test I turned off protection in Chrome - it started to load the database correctly.

After this test, I thought I would upload the paid certificate that I still have until November (RSA4096) it started to load the database correctly with protection enabled in Chrome on Windows 11.

I'm wondering why Let's Encrypt on Windows with Chrome protection enabled is affecting the Vaultwarden malfunction Adding to that, in the desktop app and the browser extension works without a problem.