How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part II)
02 Feb 2016In this blog, we will discuss some of the security measures for the connection and the login to the ownCloud server. The previous blog post is How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part I).
The ownCloud manual suggests:
Using ownCloud without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM) attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always use HTTPS on production servers, and to never allow unencrypted HTTP.
We will use a self-signed certificate, and force (redirect) all unencrypted HTTP traffic to encrypted HTTPS. We will explicitly request to use the more secure SHA-256 hasing during certificate creation. This includes the following steps:
1. Enable OpenSSL on the server and create SSL certificates
First, install OpenSSL in server and enable the ssl
and rewrite
module in Apache2
Next, create a self-signed SSL certificate inside /etc/apache2/ssl
directory and fill in information which it will ask. (Note: fqdn = Fully Qualified Domain Name, for example, www.example.com
is a fqdn while example.com
is not.)
For more details on this part, refer to Secure Owncloud setup
2. Enforce HTTPS connection and HSTS (Strict-Transport-Security HTTP header)
Edit the /etc/apache2/conf-available/owncloud.conf
file. Add the following lines to owncloud.conf
file, which redirect port 80 request to port 443 for subdirectory {SERVER_NAME}/owncloud/
, and configure the SSL engine and its key path. This example uss IP-based Virtual Hosting in Apache. If you have DNS configured you can set it as name based configuration. The “Strict-Transport-Security” HTTP header is configured to least “15768000” seconds for enhanced security, and it elimintates The "Strict-Transport-Security" HTTP header is not configured
warning in ownCloud admin panel.
For more information, see Apache2 Httpd Wiki: HTTP to HTTPS, How to configure self signed SSL certificate in owncloud Ubuntu
3. Use secure ciphers and disable insecure protocols
Some ciphers like RC4 are known for attack-vulnerable, so does old security protocols. In summary, according to Hardening Your Web Server’s SSL Ciphers, we will take care of three things:
1. disable SSL 2.0 (FUBAR) and SSL 3.0 (POODLE),
2. disable TLS 1.0 compression (CRIME),
3. disable weak ciphers (DES, RC4), prefer modern ciphers (AES), modes (GCM), and protocols (TLS 1.2).
The actual setup is very easy, open /etc/apache2/mods-available/ssl.conf
and apply the following lines:
If you are unsure which file contains old configurations of the above lines, a grep
search would be handy:
4. Deploy the configurations and restart the Apache2 webserver
If, somehow, the apache2 complains about the FQDN like this:
you can solve it by editing /etc/apache2/conf.d/fqdn
(for Ubuntu 14.04) or /etc/apache2/conf-available/fqdn.conf
(for Ubuntu 15.04)
Now if you open the browser and type the HTTP URL of your ownCloud you will see it redirects to HTTPS automatically. That’s it. All Owncloud connections will use SSL encryption. You also need to modify all desktop and mobile client settings to use HTTPS instead of HTTP when accessing your ownCloud server.
5. Prevent brute-force password hacks
To prevent our ownCloud server from being hacked by brute-force password attacks in its default configuration as it does not enforce timeouts after failed login-attempts, we can use fail2ban
to enforce a timeout after a certain number of failed login attempts.
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc. and uses iptables profiles to block brute-force attempts. For more details, see Secure Owncloud Server and Ubuntu Wiki on Fail2ban
Install fail2ban
To install fail2ban, use apt-get
and configure fail2ban. Make a ‘local’ copy the jail.conf
file in /etc/fail2ban
, and edit the file:
Set the IPs you want fail2ban
to ignore, the ban time (in seconds) and maximum number of user attempts to your liking in the [owncloud] section
:
Jail Configuration
Jails are the rules which fail2ban
apply to a given application/log. So we need to tell ownCloud
to log the failed login attempts. Edit /var/www/owncloud/config/config.php
and add:
Note that logtimezone
must match the clock of your server. Furthermore the webserver user (e.g. www-data
) must have write access to the logfile. To verify that logging works, do some failed logins and check /var/log/owncloud.log
.
Next create the following filter definition for fail2ban
Once done, restart fail2ban
to put those settings into effect, and we can test it, by trying to log in with wrong password. The 3rd wrong attempt should give you a timeout (for 15 min), and you can get the fail attempt count by
You can also look at iptable rules and find a REJECT
rule for the testing IP:
Voila! Finally, we successfully configured ownCloud to make it works securely. If you would like to make more customizations, please refer to the newest ownCloud offcial admin manual.