Raspbian - Owncloud 7 - Changing to remote-able?
 

Hi all!

I've got a Raspberry pi running Owncloud 7 following this guide. I'm just wondering if there are any steps I need to take or should take prior to opening it up to the world.

I'm not convinced I want to, as at the moment (I think..) it's hidden behind a firewall (relatively) safe from hackers.

I'm appreciate any thoughts or insight people can offer.

Does Owncloud 7 have an option to block brute-force login attempts?

Kind of! It uses a program called 'fail2ban' to enable that! :)

http://www.rojtberg.net/711/secure-owncloud-server/

Off the top of my head:
- Make sure your web server is being run as an unprivileged user without shell access
- Your web server, and all software should be up to date and kept that way.
- lock down permissions. Directories that don't have to be writable shouldn't. Be careful about what users and groups have access.
- The database user should have access to only the owncloud database and no ability to grant privileges
- You might look at a file monitor like Aide or Samhain
- Make sure you have regular backups of the files and the database.
- Force it to use https at all times (I think 7 has this in its admin section, otherwise use a redirect)

[edit]

Oh, and make sure that everything exposed to the world is absolutely necessary. If you have services like SSH running, be sure they are up to date. And for SSH you should use key-based authentication.

[/edit]

Thanks! :)

Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after.

The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it. :)

How can I find this fail2ban ?

.... Really?

I think you can use the usermod command to remove shell access, this page may help figure out what you can try. Some distros, like Slackware, you can edit the passwd file (with EXTREME caution) and have the shell point to something nonsensical, but in general it is best to use the user management tools to do the work.
That's good, but clearly if you're running owncloud, it is going to be exposed to the Intertubes, which means that the rest of us have to live with it. So spending some time making sure it is locked down, and having a way to know if the bad guys have gotten in, would be appreciated by the rest of us. We really don't need another computer spewing sewage.

Thanks! That's the user without shell access. :)

The problem I personally find is "man pages" and other help pages are written for technical people, not for people like me who don't understand different meanings of "pipes" and "expressions" or the different between a command line, bash, shell, etc, especially people like me who don't use computers every day. This is why websites like this are so fantastic and people like you are brilliant! I don't understand how computers are attacked, let alone how to stop it.

I think that's what fail2ban does anyone?

Not really. Fail2ban makes it harder to brute-force a login by limiting the attempts someone has before they end up on a temporary ban list. It is a good thing to have in place, however if one of the bad guys guesses correctly (or finds the user/pass combo through other means), fail2ban will do exactly diddly.

That is why I was suggesting Aide or Samhain. Both of those will develop a database of file checksums, and will scan your system on a regular basis to see if the file has been changed. Aide is probably a bit easier to use, Samhain however is more industrial strength. The idea is that if you suddenly see a bunch of files being altered and you didn't do it, you may have a problem on your hands. Neither of these will prevent an attack, but can help in determine what happened if someone does break in.

The one idea you should be getting from this is that security is not a one-stop shop. It is a process, not a thing.