LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-20-2014, 08:35 AM   #1
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Rep: Reputation: 13
Raspbian - Owncloud 7 - Changing to remote-able?


Hi all!

I've got a Raspberry pi running Owncloud 7 following this guide. I'm just wondering if there are any steps I need to take or should take prior to opening it up to the world.

I'm not convinced I want to, as at the moment (I think..) it's hidden behind a firewall (relatively) safe from hackers.

I'm appreciate any thoughts or insight people can offer.
 
Old 09-28-2014, 11:48 AM   #2
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 999

Rep: Reputation: 142Reputation: 142
Does Owncloud 7 have an option to block brute-force login attempts?
 
Old 10-11-2014, 04:58 AM   #3
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Kind of! It uses a program called 'fail2ban' to enable that!

http://www.rojtberg.net/711/secure-owncloud-server/
 
Old 10-11-2014, 06:01 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Off the top of my head:
- Make sure your web server is being run as an unprivileged user without shell access
- Your web server, and all software should be up to date and kept that way.
- lock down permissions. Directories that don't have to be writable shouldn't. Be careful about what users and groups have access.
- The database user should have access to only the owncloud database and no ability to grant privileges
- You might look at a file monitor like Aide or Samhain
- Make sure you have regular backups of the files and the database.
- Force it to use https at all times (I think 7 has this in its admin section, otherwise use a redirect)

[edit]

Oh, and make sure that everything exposed to the world is absolutely necessary. If you have services like SSH running, be sure they are up to date. And for SSH you should use key-based authentication.

[/edit]

Last edited by Hangdog42; 10-11-2014 at 06:06 PM.
 
Old 10-15-2014, 03:10 AM   #5
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Thanks!

Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after.

The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it.
 
Old 10-15-2014, 04:54 AM   #6
Hanch1989
LQ Newbie
 
Registered: Oct 2014
Posts: 2

Rep: Reputation: 0
How can I find this fail2ban ?
 
Old 10-15-2014, 01:51 PM   #7
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
.... Really?
 
Old 10-19-2014, 07:36 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by NotAComputerGuy View Post
Thanks!

Could you point me in the right direction for removing shell permissions? I keep finding shell scripts to change or remove permissions which isn't what I'm after.
I think you can use the usermod command to remove shell access, this page may help figure out what you can try. Some distros, like Slackware, you can edit the passwd file (with EXTREME caution) and have the shell point to something nonsensical, but in general it is best to use the user management tools to do the work.
Code:
nobody:x:99:99:nobody:/:/bin/false
Quote:
The computer that's facing the world is effectively disposable. If someone took over it I'd lose a maximum of 12 hours work and every other computer treats it like it's infected with the plague and rejects requests from it.
That's good, but clearly if you're running owncloud, it is going to be exposed to the Intertubes, which means that the rest of us have to live with it. So spending some time making sure it is locked down, and having a way to know if the bad guys have gotten in, would be appreciated by the rest of us. We really don't need another computer spewing sewage.
 
Old 10-19-2014, 07:45 AM   #9
NotAComputerGuy
Member
 
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349

Original Poster
Rep: Reputation: 13
Thanks! That's the user without shell access.

The problem I personally find is "man pages" and other help pages are written for technical people, not for people like me who don't understand different meanings of "pipes" and "expressions" or the different between a command line, bash, shell, etc, especially people like me who don't use computers every day. This is why websites like this are so fantastic and people like you are brilliant! I don't understand how computers are attacked, let alone how to stop it.

Quote:
Originally Posted by Hangdog42 View Post
having a way to know if the bad guys have gotten in, would be appreciated by the rest of us.
I think that's what fail2ban does anyone?
 
Old 10-19-2014, 08:54 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by NotAComputerGuy View Post
I think that's what fail2ban does anyone?
Not really. Fail2ban makes it harder to brute-force a login by limiting the attempts someone has before they end up on a temporary ban list. It is a good thing to have in place, however if one of the bad guys guesses correctly (or finds the user/pass combo through other means), fail2ban will do exactly diddly.

That is why I was suggesting Aide or Samhain. Both of those will develop a database of file checksums, and will scan your system on a regular basis to see if the file has been changed. Aide is probably a bit easier to use, Samhain however is more industrial strength. The idea is that if you suddenly see a bunch of files being altered and you didn't do it, you may have a problem on your hands. Neither of these will prevent an attack, but can help in determine what happened if someone does break in.

The one idea you should be getting from this is that security is not a one-stop shop. It is a process, not a thing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: ownCloud Community Comes Up Big Delivering ownCloud 7 Community Edition LXer Syndicated Linux News 0 08-05-2014 06:30 PM
Move owncloud 4 to owncloud 5 to a different server the_bigbalu Linux - Server 2 05-28-2013 01:31 AM
LXer: ownCloud Inc. and the ownCloud community LXer Syndicated Linux News 0 12-16-2011 11:50 AM
changing routes to remote pc BoraX Linux - Networking 2 08-14-2006 11:48 PM
Remote Date Changing mriolo Linux - General 11 02-25-2003 07:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration