diff --git a/docs/references/selfhosting.md b/docs/references/selfhosting.md index 4245eb895..c69eaa03b 100644 --- a/docs/references/selfhosting.md +++ b/docs/references/selfhosting.md @@ -426,13 +426,19 @@ This section lists various security measures in place to protect the Cloudron. The goal of rate limits is to prevent password brute force attacks. -* Cloudron password verification routes - 1 request per second per IP. -* HTTP and HTTPS requests - 250 requests per 5 seconds per IP. -* SSH access - 10 connections per 10 seconds per IP. -* Email access (Port 25, 587, 993, 4190) - 10 connections per 10 seconds per IP/App. -* Database addons access - 250 connections in 10 seconds per app. -* Email addon access - 10 connections per 10 seconds per app. -* Auth addon access - 10 connections per 10 seconds per app. +* Cloudron password verification routes - 10 requests per second per IP. +* HTTP and HTTPS requests - 5000 requests per second per IP. +* SSH access - 3 connections per second per IP. +* Email access (Port 25, 587, 993, 4190) - 50 connections per second per IP/App. +* Database addons access - 5000 connections per second per app (addons use 128 byte passwords). +* Email relay access - 500 connections per second per app. +* Email receive access - 50 connections per second per app. +* Auth addon access - 500 connections per second per app. + +## Password restrictions + +* Cloudron requires user passwords to have 1 uppercase, 1 number and 1 symbol. +* Minimum length for user passwords is 8 # Debug diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh index 17f459b39..4a47ab47d 100755 --- a/setup/start/cloudron-firewall.sh +++ b/setup/start/cloudron-firewall.sh @@ -39,13 +39,13 @@ iptables -t filter -A CLOUDRON_RATELIMIT_LOG -j DROP # http https for port in 80 443; do iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --set --name "public-${port}" - iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 5 --hitcount 250 -j CLOUDRON_RATELIMIT_LOG + iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 5000 -j CLOUDRON_RATELIMIT_LOG done # ssh smtp ssh msa imap sieve for port in 22 202; do iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --set --name "public-${port}" - iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 10 --hitcount 10 -j CLOUDRON_RATELIMIT_LOG + iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 3 -j CLOUDRON_RATELIMIT_LOG done # TODO: move docker platform rules to platform.js so it can be specialized to rate limit only when destination is the mail container @@ -53,19 +53,25 @@ done # docker translates (dnat) 25, 587, 993, 4190 in the PREROUTING step for port in 2525 4190 9993; do iptables -A CLOUDRON_RATELIMIT -p tcp ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "public-${port}" - iptables -A CLOUDRON_RATELIMIT -p tcp ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 10 --hitcount 10 -j CLOUDRON_RATELIMIT_LOG + iptables -A CLOUDRON_RATELIMIT -p tcp ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 1 --hitcount 50 -j CLOUDRON_RATELIMIT_LOG done # ldap, imap, sieve for port in 3002 4190 9993; do iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}" - iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 10 --hitcount 10 -j CLOUDRON_RATELIMIT_LOG + iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 500 -j CLOUDRON_RATELIMIT_LOG done -# cloudron docker network: smtp mysql postgresql redis mongodb -for port in 2525 3306 5432 6379 27017; do +# cloudron docker network: mysql postgresql redis mongodb +for port in 3306 5432 6379 27017; do iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}" - iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 5 --hitcount 250 -j CLOUDRON_RATELIMIT_LOG + iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 5000 -j CLOUDRON_RATELIMIT_LOG +done + +# cloudron docker network: mail relay +for port in 2525; do + iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --set --name "private-${port}" + iptables -A CLOUDRON_RATELIMIT -p tcp -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m state --state NEW -m recent --update --name "private-${port}" --seconds 1 --hitcount 500 -j CLOUDRON_RATELIMIT_LOG done # For ssh, http, https @@ -77,4 +83,3 @@ fi # Workaroud issue where Docker insists on adding itself first in FORWARD table iptables -D FORWARD -j CLOUDRON_RATELIMIT || true iptables -I FORWARD 1 -j CLOUDRON_RATELIMIT - diff --git a/setup/start/nginx/nginx.conf b/setup/start/nginx/nginx.conf index 66313f644..12771eeb2 100644 --- a/setup/start/nginx/nginx.conf +++ b/setup/start/nginx/nginx.conf @@ -34,7 +34,7 @@ http { keepalive_timeout 65s; # zones for rate limiting - limit_req_zone $binary_remote_addr zone=admin_login:10m rate=1r/s; # 1 request a second + limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second # HTTP server server { @@ -62,4 +62,3 @@ http { include applications/*.conf; } -