Raspbian - Owncloud 7 - Changing to remote-able?
Hi all!
I've got a Raspberry pi running Owncloud 7 following this guide. I'm just wondering if there are any steps I need to take or should take prior to opening it up to the world. I'm not convinced I want to, as at the moment (I think..) it's hidden behind a firewall (relatively) safe from hackers. I'm appreciate any thoughts or insight people can offer. |
Does Owncloud 7 have an option to block brute-force login attempts?
|
Kind of! It uses a program called 'fail2ban' to enable that! :)
http://www.rojtberg.net/711/secure-owncloud-server/ |
Off the top of my head:
- Make sure your web server is being run as an unprivileged user without shell access - Your web server, and all software should be up to date and kept that way. - lock down permissions. Directories that don't have to be writable shouldn't. Be careful about what users and groups have access. - The database user should have access to only the owncloud database and no ability to grant privileges - You might look at a file monitor like Aide or Samhain - Make sure you have regular backups of the files and the database. - Force it to use https at all times (I think 7 has this in its admin section, otherwise use a redirect) [edit] Oh, and make sure that everything exposed to the world is absolutely necessary. If you have services like SSH running, be sure they are up to date. And for SSH you should use key-based authentication. [/edit] |
Thanks! :)
Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after. The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it. :) |
How can I find this fail2ban ?
|
.... Really?
|
Quote:
Code:
nobody:x:99:99:nobody:/:/bin/false Quote:
|
Thanks! That's the user without shell access. :)
The problem I personally find is "man pages" and other help pages are written for technical people, not for people like me who don't understand different meanings of "pipes" and "expressions" or the different between a command line, bash, shell, etc, especially people like me who don't use computers every day. This is why websites like this are so fantastic and people like you are brilliant! I don't understand how computers are attacked, let alone how to stop it. Quote:
|
Quote:
That is why I was suggesting Aide or Samhain. Both of those will develop a database of file checksums, and will scan your system on a regular basis to see if the file has been changed. Aide is probably a bit easier to use, Samhain however is more industrial strength. The idea is that if you suddenly see a bunch of files being altered and you didn't do it, you may have a problem on your hands. Neither of these will prevent an attack, but can help in determine what happened if someone does break in. The one idea you should be getting from this is that security is not a one-stop shop. It is a process, not a thing. |
All times are GMT -5. The time now is 05:19 AM. |