Harden OwnCloud self-hosted server

Ask all your questions regarding OC 6.x Please read the Support Forum Rules
Forum rules
ownCloud 6.x reached end of life and is officially unsupported. For details see Wiki page.

Please upgrade your ownCloud.
artemicion
Starter
Posts: 51
Joined: Sat May 03, 2014 3:48 am
ownCloud version: 8.0.2
Webserver: Apache
Database: MySQL
OS: Linux

Harden OwnCloud self-hosted server

Postby artemicion » Thu May 08, 2014 1:53 am

My friends and I have been using ownCloud for a few weeks to sync calendars, contacts, and files to all our devices, and we're loving it! However, we are wondering how safe our data really is. Would anyone with strong security knowledge please help us to evaluate the security of our OC server? Your feedback will help other users, too, because we will use this to make a more in-depth tutorial if it checks out! :). Here is what we did:

1. Installed ownCloud on an old desktop computer running Linux Mint, to act as the server (we like GUI). Using mySQL and Apache2. Downloaded all security updates.

2. Configured Apache2 and mywebsite.conf server configuration files. Most important changes:

Code: Select all

<VirtualHost *:80>
#Redirect all traffic to SSL at 443
   ServerAlias *
   RewriteEngine On
   RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

<VirtualHost *:443>
   ServerName mywebsite.org
   DocumentRoot /var/www/
   CustomLog /var/www/logs/ssl-access_log
   ErrorLog /var/www/logs/ssl-error_log
   ServerSignature Off
   HostnameLookups Off
   ServerSignature Off
   ServerTokens Prod

   Options -Indexes -FollowSymLinks -Includes -MultiViews

# SSL configuration
   SSLEngine on
   SSLCertificateFile /etc/ssl/crt/mywebsite-cert.pem
   SSLCertificateKeyFile /etc/ssl/key/mywebsite-key.pem
   SSLCACertificateFile /etc/ssl/crt/mywebsite-CA.pem
   SSLVerifyDepth 2

# Force all traffic to remain on HTTPS
   Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

# Restrict or deny access to certain directories
<Directory />
   Options None
   AllowOverride None
   Deny from All
</Directory>

<Directory /usr/share>
   AllowOverride None
</Directory>

<Directory /var/www/>
   Options -Indexes -FollowSymLinks -Includes -MultiViews
   AllowOverride None
   Require all granted
</Directory>

<Directory /var/www/logs/>
   Order Deny,Allow
   Deny from all
   AllowOverride None
   Options None
</Directory>

<Directory /var/www/owncloud/>
   Order Deny,Allow
#Blocking China and Russia from connecting (known bot and spam countries)
   SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
   SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
   Deny from env=BlockCountry
#Allow USA (USA! USA!)
   SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
   Allow from env=AllowCountry
   AllowOverride None
   </Directory>
</VirtualHost>


3. Turned off use of .htaccess files and moved the /var/www/owncloud directory's .htaccess file data into its own .conf file.

4. Modified ssl.conf for forward secrecy using strong ciphers:

Code: Select all

SSLHonorCipherOrder on
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS:!RC4


5. Installed self-signed SSL certificates; OC server-side encryption; disabled unneeded Apache2 modules; enabled access logs; enabled security2.mod.

6. Currently in the process of configuring Fail2Ban.

7. Set the router to forward port 443 and linked this server to my personal domain name so that our data is accessible outside the LAN. We all use strong passwords but are still worried if this is safe enough...

8. Configured the server to have a static IP address and used DNSExit free dynamic DNS to keep track of it.

9. Checked the server on https://www.ssllabs.com/ssltest/ and got an "A" rating ("if trust issues are ignored")--so it shows an "F" just because we're using self-signed certs and our own "untrusted" CA.

Certificate: 0
Protocol Support: 95
Key Exchange: 80
Cipher Strength: 100

Questions
I think that this is strong enough security to protect our personal files and data from the mean streets of the internet ;) ...but do you see anything wrong or lacking? Is there anything else we could do to harden the server and make it less likely to be hacked or accessed by others? Any recommendations for free server auditing software?

We would greatly appreciate any suggestions, and hopefully this information will help other users too!! Thank you! :mrgreen:

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: Harden OwnCloud self-hosted server

Postby RealRancor » Thu May 08, 2014 7:40 am

Hi,

as oqnCloud is just served by your webserver you could also follow General best practices to harden a server/webserver.
*gone*

tflidd
Forum Moderator
Posts: 7159
Joined: Sat Dec 07, 2013 7:27 pm
ownCloud version: 8.2.3
Webserver: Apache
Database: MySQL
OS: Linux

Re: Harden OwnCloud self-hosted server

Postby tflidd » Thu May 08, 2014 2:00 pm

Do you use the standard PHP configuration? There you can probably optimize the security. It's like for a regular webserver.

logcheck observes your logfiles and can send you e-mails if there are irregularities. This helps you to observe your system.

With additional client side encryption you can improve your your data protection.

artemicion
Starter
Posts: 51
Joined: Sat May 03, 2014 3:48 am
ownCloud version: 8.0.2
Webserver: Apache
Database: MySQL
OS: Linux

Re: Harden OwnCloud self-hosted server

Postby artemicion » Thu May 08, 2014 8:59 pm

tflidd wrote:Do you use the standard PHP configuration? There you can probably optimize the security. It's like for a regular webserver.

logcheck observes your logfiles and can send you e-mails if there are irregularities. This helps you to observe your system.

With additional client side encryption you can improve your your data protection.


Thank you for the suggestions. I haven't touched the PHP configuration settings, so perhaps that's something I can look into for enhancing security, too.

What do you mean by client side encryption? I posted here about client authentication: viewtopic.php?f=14&t=21179 but it looks like that isn't supported yet. Is that what you were referring to or is it something different?

If you were referring to my mention of server-side encryption: at the moment ownCloud doesn't not seem to support client-side encryption either, only server-side (which is sort of helpful if you host your own server, but not if you're using a web host, who would hold the decryption keys).

tflidd
Forum Moderator
Posts: 7159
Joined: Sat Dec 07, 2013 7:27 pm
ownCloud version: 8.2.3
Webserver: Apache
Database: MySQL
OS: Linux

Re: Harden OwnCloud self-hosted server

Postby tflidd » Thu May 08, 2014 10:15 pm

SSL Client Authentification, very nice idea. But I meant directly an encryption on client side. TrueCrypt Containers or EncFS (Boxcryptor) for example.

artemicion
Starter
Posts: 51
Joined: Sat May 03, 2014 3:48 am
ownCloud version: 8.0.2
Webserver: Apache
Database: MySQL
OS: Linux

Re: Harden OwnCloud self-hosted server

Postby artemicion » Fri May 09, 2014 12:58 am

tflidd wrote:SSL Client Authentification, very nice idea. But I meant directly an encryption on client side. TrueCrypt Containers or EncFS (Boxcryptor) for example.


Ah, I see. That would definitely work to secure highly sensitive documents. However, we plan to use our OC server as the central hub for all our common digital information, including: contacts, calendars, notes, journals, tasks, documents, etc. TrueCrypt is a bit impractical for things like calendars and contacts, especially when sync'ing to mobile devices, but still a good tool for specific files.

Do you think the way we've configured the server protects it well enough from intrusion? Is there anything else we could improve or that we left out?

tflidd
Forum Moderator
Posts: 7159
Joined: Sat Dec 07, 2013 7:27 pm
ownCloud version: 8.2.3
Webserver: Apache
Database: MySQL
OS: Linux

Re: Harden OwnCloud self-hosted server

Postby tflidd » Fri May 09, 2014 4:03 pm

A good configuration of php and apache is a very good start. After all, it depends on you and how important your data are. You should always consider that the owncloud-code is not perfect.

For apache, there is mod_security (application layer firewall) which can protect you from certain security issues. But a proper configuration is challenging. You find a project on github: https://github.com/owncloud/mod_security but I don't know if it is compatible for more recent versions of OC.

You could also "hide" your owncloud installation behind a VPN (which is not very comfortable to use with mobile clients).


  • Similar Topics
    Replies
    Views
    Last post

Return to “ownCloud Community Edition 6.x”

Who is online

Users browsing this forum: No registered users and 2 guests