Secure Your OwnCloud Server

Securing your OwnCloud server is crucial to protect your data from potential threats. In this guide, we will focus on two key aspects: automatically installing security updates and preventing brute-force password hacking attempts.

Automatically Install Security Updates

No software package is flawless, and security vulnerabilities may exist in your server’s software stack, from the Linux kernel to the SSL library. However, many of these vulnerabilities have patches available, and the primary reason they get exploited is due to delayed or neglected security updates.

To automatically install security updates on Debian-based distributions, follow these steps:

  1. Open your terminal and run the following command:

    1
    
    sudo dpkg-reconfigure -plow unattended-upgrades

    This command will configure your system to automatically install security updates.

Now, let’s move on to preventing brute-force password hacking attempts.

Prevent Brute-Force Password Hacks

By default, OwnCloud 8 is susceptible to brute-force password attacks, as it doesn’t enforce timeouts after failed login attempts. To mitigate this risk, we can use Fail2ban to impose timeouts after a certain number of failed login attempts.

Here’s how to set it up:

  1. Install Fail2ban by running:

    1
    
    sudo apt-get install fail2ban
  2. Configure OwnCloud to log failed login attempts by editing the OwnCloud configuration file. Use a text editor to open the file /var/www/owncloud/config/config.php. Replace <TIMEZONE> with your server’s timezone. Ensure that the webserver user (e.g., www-data) has write access to the log file.

    1
    2
    3
    4
    
    'logtimezone' => '_<TIMEZONE>_', // e.g. 'Europe/Berlin'
    'logfile' => '/var/log/owncloud.log',
    'loglevel' => '2',
    'log_authfailip' => true, // not needed for 7.0.1+
  3. To verify that logging works, attempt some failed logins, and then check the log file /var/log/owncloud.log.

  4. Create a Fail2ban filter definition for OwnCloud by creating the file /etc/fail2ban/filter.d/owncloud.conf with the following content:

    1
    2
    3
    4
    
    [Definition]
    failregex={"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"}
              {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
              {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}

    Choose the appropriate failregex line based on your OwnCloud version.

  5. Create a Fail2ban service definition by opening the file /etc/fail2ban/jail.config and adding the following:

    1
    2
    3
    4
    5
    
    [owncloud]
    enabled = true
    filter  = owncloud
    port    = https
    logpath = /var/log/owncloud.log
  6. Restart Fail2ban to apply the changes:

    1
    
    sudo systemctl restart fail2ban
  7. To test if Fail2ban is correctly reading the log, try logging in with the wrong password four times. The fourth attempt should result in a timeout (for 15 minutes).

By following these steps, you can automatically install security updates and enhance the security of your OwnCloud server by protecting it against brute-force password hacking attempts using Fail2ban.

0%