Safe storage solutions? Owncloud? sftp? ideas and advice?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Safe storage solutions? Owncloud? sftp? ideas and advice?
Im new to linux and im trying to secure my vps. I've installed all the basics on it but i still dont feel like its secure enough i constantly see bots/people trying to gain access to my server. Im wondering if there's anyone else out there that uses their vps for a storage solution.
What I'm going to use it for. I need to store work documents/photoshop stuff on it mainly nothing financial but mainly just need security that my files will not be taken because it will have information regarding upcoming events not to be released to the public yet. I mainly will be accessing these files and changing it. Like photoshop files.
What I've been thinking of using was owncloud because it can just sync all my changes on the photoshop files. But I'm concerned about the security of it if someone gains access to my vps. Even if i have encryption enabled the user keys are on the server anyways people can just decrypt the files.. or am i wrong?
A correctly configured passwordless ssh/sftp server is the safest choice if safety is what you're after... The most common way to have things stolen from you are from unencrypted transmissions over the internet or even LAN..
And no, private user keys shouldn't be on the server and the host providing you with a the vps shouldn't have any way to decrypt them, but there are harder ways for them.. Anyway, I would worry about them...
Last edited by Smokey_justme; 09-14-2014 at 05:49 PM.
Basically Fail2ban, set it up for 3 tries then 1 hr ban. disabled root access, setup google 2-factor authenticator, setup ufw, and about it =/. Owncloud currently is installed encryption is set turned on but i read that if people were to accessed the server they can access the files anyways since the decrption key is on the server it self
No.. but if the live system is to be compromised, encryption wouldn't really matter, would it!? File system encryption is good for laptops or stuff like that (btw, are you talking about some OwnClowd encryption or a complete filesystem encryption)... What you must focus on is the ownclowd installation... If you use it to store your files and that installation gets compromised, then you're pretty much screwed.. Also, at least be sure to use https.. The biggest thread still remains unencrypted transmission of data
i constantly see bots/people trying to gain access to my server.
This is somewhat 'normal' in today's day and age on the 'net.
Quote:
Originally Posted by lin_ux
3 tries then 1 hr ban
I take a less forgiving approach, 1 try and a 1 year ban. I examine my log files religiously.
Quote:
Originally Posted by lin_ux
i read that if people were to accessed the server they can access the files anyways since the decrption key is on the server it self
That is what the encyption doc says, is that the same reference you read and are referring to?
I use the explicitly allowed technique to protecting what is mine. Deny from all and allow from known_IPs, where IP0 may be the house, IP1 may be the laptop, IP2 may be a static IP at work, (I don't advocate doing personal stuff on Company assets, best to not 'go there')
deny from all
allow from <your_ip0>
allow from <your_ip1>
allow from <your_ip2>
fail2ban is good on a default install. Have you done much beyond that to inhibit or prevent these bots?
This is somewhat 'normal' in today's day and age on the 'net.
I take a less forgiving approach, 1 try and a 1 year ban. I examine my log files religiously.
Don't do that without a "backdoor" plan... Not even with keys... It's way to easy to lock yourself up by mistake or by a curios neighbour which monitors your wifi, etc..
Quote:
That is what the encyption doc says, is that the same reference you read and are referring to?
If this is indeed what you are refering to, then you need to take a little time and play with it.. I don't really understand if the private key is further encrypted with your password (in which case it's safe) or not... And see what happens if you remove the recovery-key from the server and put it only when need you need it..
But that still doesn't protect you if someone manages to steal your credentials somehow (again.. https only, I hope)..
Quote:
I use the explicitly allowed technique to protecting what is mine. Deny from all and allow from known_IPs, where IP0 may be the house, IP1 may be the laptop, IP2 may be a static IP at work, (I don't advocate doing personal stuff on Company assets, best to not 'go there')
deny from all
allow from <your_ip0>
allow from <your_ip1>
allow from <your_ip2>
fail2ban is good on a default install. Have you done much beyond that to inhibit or prevent these bots?
Yes, if you can do this.. do it .. However, in practice, it's hard and since the OP has ownCloud I presume he won't access his cloud only from his home (or, maybe, like me, he doesn't have a static IP)...
To be honest.. I would only allow 127.0.0.1 to access the web-server and then use the ssh server as a SOCKS proxy for my browser to access the data if it's that important.. That way you have only one good and secure service to protect (SSH) and encryption and all others are just bonuses..
This is somewhat 'normal' in today's day and age on the 'net.
I take a less forgiving approach, 1 try and a 1 year ban. I examine my log files religiously.
That is what the encyption doc says, is that the same reference you read and are referring to?
I use the explicitly allowed technique to protecting what is mine. Deny from all and allow from known_IPs, where IP0 may be the house, IP1 may be the laptop, IP2 may be a static IP at work, (I don't advocate doing personal stuff on Company assets, best to not 'go there')
deny from all
allow from <your_ip0>
allow from <your_ip1>
allow from <your_ip2>
fail2ban is good on a default install. Have you done much beyond that to inhibit or prevent these bots?
ah yes that's where I read about the encryption about owncloud. Thats why I was worried about using it for storing my work files. But it just provided such ease of access/resync files. I haven't done anything else to prevent the bots.
Quote:
Originally Posted by Habitual
My backdoor plan is
Code:
ignoreip = 127.0.0.1/8 my_ip.address/32
I also can log in via my vps company control panel from there I can just log in to root and etc. I will be changing that password to something 20 characters long because if someone guess my email+password they would gain access to my server anyways with root. i was thinking of setting up a vpn on the vps.
So i guess in the end the best practices is just to avoid owncloud. Remove root access, set more strict fail2ban settings and do ssh/sftp.
Oh yes ATM I do have owncloud encryption on just that im worried that if someone gained root access to my server somehow. Can they possibly view those files on owncloud even with owncloud encryption.
The user’s password is used as the key to decrypt their data. This means that if the user loses their login password, data will be lost.
It appears to me that a combination of the encryption key PLUS the user's password is used to en|decrypt files stored in owncloud.
If someone has root on your box, you have bigger fish to fry than owncloud-stored files.
So, unless owncloud stores users' passwords in the database in clear text (doubt it, someone would have screamed to high Heaven by now),
and having root and access to the files...
So, we can take away from this exercise:
1.) you have secured access to the box in a satisfactory manner.
2.) You have owncloud encryption ON.
you should be good.
But don't take my word for it. Try to acquire an encrypted file yourself (without using your owncloud user password) and try to open it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.