Suggestion: Improvement on setup process, SSHD Listen port

@nebulon said in Suggestion: Improvement on setup process, SSHD Listen port:

@sholan do you know a very robust way to detect the port SSHd is using with bare minimum built-in tools? Such detection may cause side-effects if init scripts fail due to parsing errors of config files or VPS provider customize their Ubuntu images. But generally sounds like a good idea, if of course chaning sshd port is a common use-case for our users. So maybe lets wait for other to raise interest.

Maybe this is naïve but:
/usr/sbin/sshd -T | grep "^port " | cut -d" " -f 2
or with awk :
/usr/sbin/sshd -T | grep "^port " | awk '{print $2}'

Feels nice, thank you guys !

@girish
You are welcome, nice job

I will consider joining the gitlab in the future... I was lazy today

@nebulon

I am not of any help regarding the constraints, I'd go headlong towar parsing /etc/ssh/sshd_config ... grep Listen

But as you said, drawbacks exist.
netstat might not be present on the system and so on

I'm just raising an idea, I'm far from having all the constraints in mind

Thank you, this is really nice to be part of it, Cloudron is just a dream come true, wish I had heard about it years ago

My message was lacking context :

1. increase validity to unlimited or 30 days (but unlimited is better in this case)
2. hit the + sign and create rights
3. add the Cloudron public IPs here one per input field, hit plus to add

A complete example :

@girish indeed, it is related.

The idea here is to prevent locking out an admin, while the other topic is to help such admin do the same but after Cloudron installation

@nebulon
Fair enough, I do understand and agree with all you said, but shouldn't the documentation still be a bit more helpful for stubborn users like who don't like to do the same as everyone ?

Hello to everyone (feels like I forgot being polite in my other two posts),

I recently installed cauldron on a VPS after having secured said VPS.
Including in securing it was the following :

• moving SSH to port 39552 (or something alike)
• installing fail2ban
• whitelisting port 39552

After Cloudron installation, sshd was still listenning on the custom port while cloudron-firewall was blocking it.
It was then impossible to use SSH to adress the issu and the remote KVM of my provider made it hard for me to resolv it the right way.

My suggestion is to add the following steps in the setup :

• Check the current listening port of sshd
• Whitelist this port

Regards,
sholan

Edit:
Hello everyone,

The security page of Cloudron doc, in "Securing SSH Access", advises to relocate SSH Server to a different port (security through obscurity), to prevent bruteforce attacks. The only advised (and available port) is 202, which means the expected effect is now void, because the whole community is forced to behave the same way.

On the other end, the networking documentation page indicates how to open port on a cloudron install the clean way.

Those two pages should be linked (security => network) and the 202 restriction should be un-mentionned.

Edit:
Hello everyone,

While creating an application token for OVH API use, there are security options an user might and should leverage.

One of the options is the rights that can be configured.

I would advise for documenting the following rights as being the minimal scope needed by cloudron to perform its dutties:

GET /domain/zone/{zone Name}/record
POST /domain/zone/{zone Name}/record
PUT /domain/zone/{zone Name}/record/*
DELETE /domain/zone/{zone Name}/record/*
GET /domain/zone/{zone Name}/record/*
POST /domain/zone/{zone Name}/refresh

Rights, above, are extracted from the OVH API client of cloudron (as is on master branch at time I wrote this post) and translated to the expected format in the OVH createToken page.