LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-07-2014, 08:23 PM   #1
ness2616
LQ Newbie
 
Registered: May 2014
Posts: 10

Rep: Reputation: Disabled
Help me harden our self-hosted Apache2 OwnCloud server


My friends and I have been using ownCloud for a few weeks to sync calendars, contacts, and files to all our devices, and we're loving it! For those who don't know, OwnCloud is a very convenient and user-friendly sync'ing program that I highly recommend for "going Google-free," as we are trying to do.

Would anyone with strong security knowledge please help us to evaluate the security of our OC server? Your feedback will help other users, too, because we will use this to make a more in-depth tutorial if it checks out! . Here is what we did:

1. Installed ownCloud on an old desktop computer running Linux Mint, to act as the server (we like GUI). Using mySQL and Apache2. Downloaded all security updates.

2. Configured Apache2 and mywebsite.conf server configuration files. Most important changes:
Code:
<VirtualHost *:80>
#Redirect all traffic to SSL at 443
	ServerAlias *
	RewriteEngine On
	RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

<VirtualHost *:443>
	ServerName mywebsite.org
	DocumentRoot /var/www/
	CustomLog /var/www/logs/ssl-access_log
	ErrorLog /var/www/logs/ssl-error_log
	ServerSignature Off
	HostnameLookups Off
	ServerSignature Off
	ServerTokens Prod

	Options -Indexes -FollowSymLinks -Includes -MultiViews

# SSL configuration
	SSLEngine on
	SSLCertificateFile /etc/ssl/crt/mywebsite-cert.pem
	SSLCertificateKeyFile /etc/ssl/key/mywebsite-key.pem
	SSLCACertificateFile /etc/ssl/crt/mywebsite-CA.pem
	SSLVerifyDepth 2

# Force all traffic to remain on HTTPS
	Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

# Restrict or deny access to certain directories
<Directory />
	Options None
	AllowOverride None
	Deny from All
</Directory>

<Directory /usr/share>
	AllowOverride None
</Directory>

<Directory /var/www/>
	Options -Indexes -FollowSymLinks -Includes -MultiViews
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/logs/>
	Order Deny,Allow
	Deny from all
	AllowOverride None
	Options None
</Directory>

<Directory /var/www/owncloud/>
	Order Deny,Allow
#Blocking China and Russia from connecting (known bot and spam countries)
	SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
	SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
	Deny from env=BlockCountry
#Allow USA (USA! USA!)
	SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
	Allow from env=AllowCountry
	AllowOverride None
	</Directory>
</VirtualHost>
3. Turned off use of .htaccess files and moved the /var/www/owncloud directory's .htaccess file data into its own .conf file.

4. Modified ssl.conf for forward secrecy using strong ciphers:
Code:
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS:!RC4
5. Installed self-signed SSL certificates; OC server-side encryption; disabled unneeded Apache2 modules; enabled access logs; enabled security2.mod.

6. Currently in the process of configuring Fail2Ban.

7. Set the router to forward port 443 and linked this server to my personal domain name so that our data is accessible outside the LAN. We all use strong passwords but are still worried if this is safe enough...

8. Configured the server to have a static IP address and used DNSExit free dynamic DNS to keep track of it.

9. Checked the server on https://www.ssllabs.com/ssltest/ and got an "A" rating ("if trust issues are ignored")--so it shows an "F" just because we're using self-signed certs and our own "untrusted" CA.

Certificate: 0
Protocol Support: 95
Key Exchange: 80
Cipher Strength: 100

Questions
I think that this is strong enough security to protect our personal files and data from the mean streets of the internet ...but do you see anything wrong or lacking? Is there anything else we could do to harden the server and make it less likely to be hacked or accessed by others? Any recommendations for free server auditing software?

We would greatly appreciate any suggestions, and hopefully this information will help other users too!! Thank you! :mrgreen:
 
Old 05-07-2014, 09:22 PM   #2
Zyglow
Member
 
Registered: Nov 2004
Location: Texas
Distribution: CentOS, Fedora, RHEL
Posts: 68

Rep: Reputation: 16
Couple of things I would possibly do would be to use my own RCA for certs, and second run Apache in a jail.
 
Old 05-08-2014, 08:40 AM   #3
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,568
Blog Entries: 1

Rep: Reputation: Disabled
If you know the IPs (and they're static) of the people using OC, then I suggest
Code:
deny from all
allow from ip0
allow from ip1
...
 
Old 05-08-2014, 09:12 AM   #4
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 483

Rep: Reputation: 85
Also if you can get selinux running if not already, that will further protect the server if hacked not to be able make use of other services as an attack vector.

I amsure some of the apache heavy weights can give a better solution, but something like that, I would feel confident running.

Oh, just one more thing. The most important is of course to monitor your logs, but with your setup, I believe you are well aware of that.

Last edited by ericson007; 05-08-2014 at 09:14 AM.
 
Old 05-08-2014, 07:14 PM   #5
ness2616
LQ Newbie
 
Registered: May 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
If you know the IPs (and they're static) of the people using OC, then I suggest
Code:
deny from all
allow from ip0
allow from ip1
...
Awesome idea. Thank you. Would this work for mobile devices like iPhone or Android? Part of the idea is to be able to access data from anywhere, not just inside the LAN. I don't know if this would be practical for syncing to phones or tablets that change networks all the time.

Quote:
Originally Posted by ericson007 View Post
Also if you can get selinux running if not already, that will further protect the server if hacked not to be able make use of other services as an attack vector.

I amsure some of the apache heavy weights can give a better solution, but something like that, I would feel confident running.

Oh, just one more thing. The most important is of course to monitor your logs, but with your setup, I believe you are well aware of that.
I definitely agree about monitoring logs and will have to learn to configure e-mail notifications for intrusion detection. I think that's an option in Fail2Ban. Fail2Ban has honestly been very tricky for us to set up and configure properly. Still haven't got it working, which is too bad, because I think it will offer a huge increase in protection just by limiting login attempts, its other features notwithstanding. It's just not intuitive to me yet.

Is there anything else I may have forgotten or that I did wrong with the server configs? Sometimes I feel like the server is secure, but then I read more security articles, and I feel like I'm way out of my element and that server security is unattainable! Any Apache2 experts want to help put my paranoia to rest or suggest a good course of action?
 
Old 05-09-2014, 04:47 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by ness2616 View Post
My friends and I have been using ownCloud for a few weeks (..)
First of all you want to start assessing system security as you build the system, that is, before you put it to production use.


Quote:
Originally Posted by ness2616 View Post
Would anyone (..) please help us to evaluate the security of our OC server?
Your notes revolve mostly around one single service, so that would be second: assess the security posture of the whole server.


Quote:
Originally Posted by ness2616 View Post
(..) desktop computer running Linux Mint, to act as the server (we like GUI).
Ask yourself why you would need that? One of the reasons the majority of servers runs headless is that once configured they don't need adjustments that can't be made from the command line. Secondly the less software is installed and used the smaller the exposed attack surface becomes. (Don't think of only open ports but also users that have shell access.) Third the less software a server needs to run the more resources can be spent on what actually matters like performance. Xorg plus a Desktop Environment basically is a resource hog. Finally the (unnecessary) use of Desktop Environments or web-based management panels or any such crutches (with all due respect) often points to a lack of practical admin knowledge. That can (and should!) be remedied as any machine you admin and connect to the 'net is your responsibility.


Quote:
Originally Posted by ness2616 View Post
(..) OC server-side encryption; (..) I think that this is strong enough security to protect our personal files and data from the mean streets of the internet
If you mean disk encryption then, together with SSL usage, you've covered two thirds: data in transit and data at rest. However what happens if I gain access to the Live server? Could I find and open any document? Would I be able to find (personally identifiable?) information which would allow me to gain access to other (financial) services?


Quote:
Originally Posted by ness2616 View Post
Is there anything else we could do to harden the server and make it less likely to be hacked or accessed by others? (..) Any recommendations for free server auditing software?
Before I list things please remember that your fellow LQ members will help out where they can but ultimately you are responsible for making this work. (This also includes determining if what information you get from documentation, web log or forum posts is current, if it is a best practice or not, etc, etc. If unsure: ask!) Also realize that the most important cause for breaches of security is (IMNSHO: criminally) negligence on the part of server admins: not knowing what they run, no server hardening and auditing, bad access restrictions or configuration decisions, no software updates, allowing others to run outdated or questionable software, etc, etc.

- Read the Linux Mint (security?) documentation and since Mint is based on Ubuntu which in turn is based on Debian the Securing Debian Manual,
- install only what you need right now, that is, remove (or at least disable) any ('net-facing) services you don't need,
- install a file system integrity scanner like Samhain, AIDE or even tripwire,
- before you go harden the server (further) run GNU/Tiger and act on its reporting,
- ensure logging is enabled for all services and act on daily Logwatch reporting,
- ensure user access restrictions apply to all levels,
- make regular (off-site!) backups,
- run a copy of the OC machine on another machine (virtualization) to test software updates and configuration changes before putting them into production,
- run OpenVAS from a remote machine or use SecuritySpace online free basic audit or equivalent,
- most importantly remember that security is not a one off but a continuous process of auditing and adjusting.
*Bonus points if you know what the SANS Reading Room, OWASP and the CIsecurity Linux profiles contain.


Quote:
Originally Posted by Habitual View Post
Code:
deny from all
allow from ip0
allow from ip1
...
Agreed. White listing is an effective way to regulate access (and combined with say port knocking also easier to manage). But why not start with an ipset of allowed IP addresses or ranges in the mangle table? That would be better IMHO as it would prevent malicious traffic from even reaching the application level (which is better performance-wise too).


Quote:
Originally Posted by ericson007 View Post
Also if you can get selinux running if not already, that will further protect the server if hacked not to be able make use of other services as an attack vector.
Agreed. The SELinux default targeted policy is especially aimed at 'net-facing services


Quote:
Originally Posted by ericson007 View Post
The most important is of course to monitor your logs,
Agreed. You don't know what you don't log!


Quote:
Originally Posted by ness2616 View Post
I definitely agree about monitoring logs and will have to learn to configure e-mail notifications for intrusion detection. I think that's an option in Fail2Ban. Fail2Ban has honestly been very tricky for us to set up and configure properly. Still haven't got it working, which is too bad, because I think it will offer a huge increase in protection just by limiting login attempts, its other features notwithstanding. It's just not intuitive to me yet.
Actually having fail2ban or equivalent tools send emails is about the most useless function on offer for the simple reason that if you receive emails you're supposed to act on them immediately. Given that you may not like to admin the machine 24/7, plus more importantly, fail2ban is about active response (meaning by the time you read that email fail2ban already did its job) I disable it everywhere and just use syslog reporting via Logwatch. Secondly if you limit the amount of exposed services and go for white listing you reduce what fail2ban has to watch. Also because of the templates it comes with I contest it's hard to set up: do give an example of what you tried to configure to illustrate your problems?


Quote:
Originally Posted by ness2616 View Post
Sometimes I feel like the server is secure, but then I read more security articles, and I feel like I'm way out of my element and that server security is unattainable!
One of the things that makes computing fun and easy is that it's basically binary: conditions can be tested to be true or false, meaning something is secure or it is not, so there's no need for fuzzy human interpretations like "think", "feel" or "worry". That said if you're new to admin work or if you don't harden servers often then getting a clear view of the steps to take and in which order may seem like a daunting task. With the information posted in this thread you should have everything to start your journey the right way. If anything is unclear: just ask.

Have fun!
 
2 members found this post helpful.
Old 05-09-2014, 11:19 AM   #7
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,568
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by ness2616 View Post
I definitely agree about monitoring logs and will have to learn to configure e-mail notifications for intrusion detection. I think that's an option in Fail2Ban. Fail2Ban has honestly been very tricky for us to set up and configure properly. Still haven't got it working, which is too bad, because I think it will offer a huge increase in protection just by limiting login attempts, its other features notwithstanding. It's just not intuitive to me yet.
It takes persistence and dedication to gain an intimacy with anything that's new or unfamiliar. Fail2ban is a very simple program and a good place to start. It's fairly straight-forward and easy to enhance to suit your own purpose.

What version of fail2ban do you have installed?
Code:
sudo fail2ban-server -V | head -1
That's Not a good choice storing your access and error logs in DocumetRoot btw, why not where the other apache logs are stored and you could have mywebsite.conf store them in say, /var/log/httpd/owncloud-acess.log and /var/log/httpd/owncloud-error.log? It's just a tip. See this for CustomLog parameters.

Since you haven't mentioned the fail2ban package version, I'll provide a basic examples for an owncloud jail.

Getting Started with fail2ban

and whatever unSpawn says trumps my contribution, or enhances it?

Last edited by Habitual; 05-11-2014 at 01:26 PM.
 
1 members found this post helpful.
Old 05-12-2014, 04:19 PM   #8
ness2616
LQ Newbie
 
Registered: May 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Wow, thank you all so much for all that info!! This is plenty to work with and very well described. unSpawn, my hat's off to you for taking the time to write such precise, detailed, and clear responses to my concerns. You guys definitely know how to make a new user here feel welcome

I switched everything over to Ubuntu Server and am actually enjoying the command line a lot more than I expected :P Not surprisingly, I understand Linux much better and server performance has improved greatly. Thank you again. I'll also look into Logwatch and am currently addressing specific issues identified in the report that Tiger generated.

Fail2ban is now working. The issue, identified elsewhere, was a lack of timezone identification in the /var/www/owncloud/config.php file that seems crucial to OC's compatibility with Fail2ban. Appending this code made Fail2ban work:
Code:
'logtimezone' => 'America/Los_Angeles',
'logfile' => '/var/log/owncloud/auth.log',
'loglevel' => '2',
'log_authfailip' => true,
Obviously the time zone and log directory/file would need to be specific or created accordingly.

Your suggestions have really helped and I'm starting to make some headway toward a more secure server. Will keep on working at it. Thanks again!
 
Old 05-12-2014, 04:22 PM   #9
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Rep: Reputation: 51
perhaps baseline it against a CIS benchmark, then lets tweak it as needed.
is AppArmor running in enforce mode ??

Last edited by Linux_Kidd; 05-12-2014 at 04:23 PM.
 
Old 05-12-2014, 04:37 PM   #10
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,369
Blog Entries: 1

Rep: Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088
Disable public access to owncloud/your public ip's 100%.

Set up a VPN connection between your phone devices and your network. (IPSEC)

Then set up ownlcoud clients to use a private address to access it. All traffic will be encrypted and over a VPN no matter where you go.

Or get a juniper ssl vpn and set up ownlcoud to work with it. then use junos pulse on your devices to access your applications over ssl vpn.

Last edited by szboardstretcher; 05-12-2014 at 04:40 PM.
 
1 members found this post helpful.
Old 05-12-2014, 07:40 PM   #11
ness2616
LQ Newbie
 
Registered: May 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by szboardstretcher View Post
Disable public access to owncloud/your public ip's 100%.

Set up a VPN connection between your phone devices and your network. (IPSEC)
VPN sounds like a great idea! I'd be a lot more comfortable having my data off the open internet, no matter how hardened the server... as long as it's still conveniently accessible (I guess that's always the trade-off). Is a VPN still easy to use in this way on an iPhone or Droid? Would it increase power consumption or complicate synchronization of calendars, contacts, etc?


Quote:
Originally Posted by szboardstretcher View Post
Then set up ownlcoud clients to use a private address to access it.
Could you describe what you mean by "private address?" As in the server's IP or something? I'm a bit unclear on this and how the server would be accessible.


It seems like a VPN would simplify things and greatly boost security relative to using a domain name to access the server. Is this correct or are there big problems associated with VPNs also? It seems a lot safer but I'm still learning about it at the moment.

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OwnCLoud server network setup RCSub Linux - Networking 2 12-12-2013 09:22 AM
Move owncloud 4 to owncloud 5 to a different server the_bigbalu Linux - Server 2 05-28-2013 02:31 AM
Unable to view multiple hosted sites offline using apache2 and multiple VirtualHosts ar2deetu Linux - Server 7 10-29-2012 04:23 AM
Putting a linux server on freely hosted web server ashdasok Linux - Server 1 08-30-2012 11:18 AM
LXer: ownCloud Inc. and the ownCloud community LXer Syndicated Linux News 0 12-16-2011 12:50 PM


All times are GMT -5. The time now is 10:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration