serious Cloudflare goof

@jdaviescoates

This isn't a complex issue and I'm amazed in 2023 to find anyone that admits they don't understand the problem.

When a client registers a domain, they use the proxy registration service. This protects them from malicious prosecution attempts, frivolous litigation, and the like. I have clients who've faced this sort of thing in the last year.

When establishing hosting for the domain, the system is protected with the Cloudflare CDN. This interdicts not just denial of service, it also thwarts a lot of intrusion attempts. A little more care in the form of static routing for just what needs to be reached raises the bar even higher.

So when Cloudron just haphazardly exposes an actual public IP in connection with a DNS name, simply turning proxy back on doesn't solve the problem, because that information is then available in tools like Farsight or RiskIQ.

The negative outcomes from the exposure of the hosting IP are numerous. An attacker intending DDoS goes directly at the actual IP, and the system quickly wilts under a barrage of packets.

Starting with just that IP, the attacker will look for "fellow travelers" on the same IP address. If the set is small, they've identified a small hosting provider. If that doesn't produce a result, they'll expand the search to the entire /24. Vulnerable systems get cracked and they all catch that barrage of packets from a shell booter. Then person renting the VPS or dedicated system gets expelled from their hosting provider.

Given some public IPs, some domains, and a little bit of poking around, it's easy to profile the site builder, and find a service address for them.

None of that is at all exotic. I get requests every week or so to identify who is operating a given site. I have not yet encountered someone using Cloudron, but given what I've seen of the system, it's a soft target that is completely unfit for any hazardous duty.

If you want a concrete example of how one little DNS goof produces a catastrophe, I'd be happy to share the study I did on Josh Moon and the digital cesspool known as Kiwi Farms. One mistake, one day, a long time ago was enough of an opening for me to find everything that he was doing.

Cloudron's offering of Cloudflare as a DNS provider without a big fat flashing WE CAN'T DO THIS SECURELY disclaimer is a serious hazard. Right now I've got it running for one project, in a low conflict area, on a system that is not quartered with anything else I do. There's no way I would use Cloudron for anything else, the inability to handle Cloudflare setups in a secure fashion is a deal killer for me.

@girish

Cloudron mishandles Cloudflare by being unaware of the proxy option. I just discovered that, having manually turned proxy on for the first apps I chose, then adding a new app, Cloudron helpfully sets them both to just DNS.

So worse that being unaware, it doesn't offer a secure option on setup, and it breaks things that were secured.

There is a serious problem with how Cloudron handles Cloudflare.

I purchased a domain, configured Cloudflair for it, proxying the root of the domain itself. I aimed it at the IP address of a VPS where I'm installing Cloudron.

During the install I pick Cloudflare as the DNS provider and give the system the API token.

The Cloudron install proceeds and then it makes the amazingly grim error of point my.domain.com to the public IP of the VPS without proxying it.

I went to the Cloudflare interface and switched it to proxy but the damage is already done. My workstation did a DNS lookup and that information is cached in services like Farsight and RiskIQ. Having Cloudflare running after the fact will keep the skiddies at bay, but any serious bad actor is going to be able to get that public IP.

What will it take for Cloudron to turn the proxy on when creating the my.domain.com DNS record?

@necrevistonnezr The first one is very long and the author presumes readers may have heard about ZFS, but never used it. The second is much more sparse but still ... not 100% coverage.

When I installed Docker on my workstation I ran into trouble, finally found that Docker wants to know the underlying file system type. Once that was done it just runs and automatically uses ZFS features.

The steps to getting Cloudron using ZFS are as follows:

Install Cloudron as you normally would.

Stop Docker service & socket.

Move /var/lib/docker to var/lib/sinker.

Create ZFS dataset.

zfs set mountpoint=/var/lib/docker mydataset/whatever.

mv /var/lib/sinker/* /var/lib/docker

Edit this file, replacing "overlay2" with "zfs"

/etc/systemd/system/docker.service.d/cloudron.conf

And then restart Docker. You'll find a bunch of child datasets, in my case for onetb/docker, as well as a bunch of snapshots of those datasets.

Other than using the ZFS file system, I'm not sure what's going on here, but my setup is just for R&D, so I don't mind having spent a couple hours to get it going.

I am a new Cloudron user and most everything I have uses the ZFS file system. I have a Docker install on my desktop and I had to create the following daemon.json:

{
"ip" : "127.0.0.1",
"storage-driver": "zfs"
}

I am trying to install Cloudron on a new Ubuntu 20.04 install and there does not seem to be any method for selecting ZFS as the storage. The install process fails partway through with complaints about the file system type.

The invocation for the install seems to be this:

/etc/systemd/system/docker.service.d/cloudron.conf

I set storage-driver=zfs and tried to restart the install. This complains about pre-existing nginx packages. I guess my next step will be letting it install on ext4 and then trying to doctor it to use ZFS after the fact.

This is extremely clumsy and it's not clear to me why ZFS would not be directly supported.