Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've got a Raspberry pi running Owncloud 7 following this guide. I'm just wondering if there are any steps I need to take or should take prior to opening it up to the world.
I'm not convinced I want to, as at the moment (I think..) it's hidden behind a firewall (relatively) safe from hackers.
I'm appreciate any thoughts or insight people can offer.
Off the top of my head:
- Make sure your web server is being run as an unprivileged user without shell access
- Your web server, and all software should be up to date and kept that way.
- lock down permissions. Directories that don't have to be writable shouldn't. Be careful about what users and groups have access.
- The database user should have access to only the owncloud database and no ability to grant privileges
- You might look at a file monitor like Aide or Samhain
- Make sure you have regular backups of the files and the database.
- Force it to use https at all times (I think 7 has this in its admin section, otherwise use a redirect)
[edit]
Oh, and make sure that everything exposed to the world is absolutely necessary. If you have services like SSH running, be sure they are up to date. And for SSH you should use key-based authentication.
Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after.
The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it.
Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after.
I think you can use the usermod command to remove shell access, this page may help figure out what you can try. Some distros, like Slackware, you can edit the passwd file (with EXTREME caution) and have the shell point to something nonsensical, but in general it is best to use the user management tools to do the work.
Code:
nobody:x:99:99:nobody:/:/bin/false
Quote:
The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it.
That's good, but clearly if you're running owncloud, it is going to be exposed to the Intertubes, which means that the rest of us have to live with it. So spending some time making sure it is locked down, and having a way to know if the bad guys have gotten in, would be appreciated by the rest of us. We really don't need another computer spewing sewage.
The problem I personally find is "man pages" and other help pages are written for technical people, not for people like me who don't understand different meanings of "pipes" and "expressions" or the different between a command line, bash, shell, etc, especially people like me who don't use computers every day. This is why websites like this are so fantastic and people like you are brilliant! I don't understand how computers are attacked, let alone how to stop it.
Quote:
Originally Posted by Hangdog42
having a way to know if the bad guys have gotten in, would be appreciated by the rest of us.
Not really. Fail2ban makes it harder to brute-force a login by limiting the attempts someone has before they end up on a temporary ban list. It is a good thing to have in place, however if one of the bad guys guesses correctly (or finds the user/pass combo through other means), fail2ban will do exactly diddly.
That is why I was suggesting Aide or Samhain. Both of those will develop a database of file checksums, and will scan your system on a regular basis to see if the file has been changed. Aide is probably a bit easier to use, Samhain however is more industrial strength. The idea is that if you suddenly see a bunch of files being altered and you didn't do it, you may have a problem on your hands. Neither of these will prevent an attack, but can help in determine what happened if someone does break in.
The one idea you should be getting from this is that security is not a one-stop shop. It is a process, not a thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.