web analytics

How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part II)

In this blog, we will discuss some of the security measures for the connection and the login to the ownCloud server. The previous blog post is How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part I).

The ownCloud manual suggests:

Using ownCloud without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM) attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always use HTTPS on production servers, and to never allow unencrypted HTTP.

We will use a self-signed certificate, and force (redirect) all unencrypted HTTP traffic to encrypted HTTPS. We will explicitly request to use the more secure SHA-256 hasing during certificate creation. This includes the following steps:

1. Enable OpenSSL on the server and create SSL certificates

First, install OpenSSL in server and enable the ssl and rewrite module in Apache2

$ sudo apt-get install openssl
$ sudo a2enmod ssl
$ sudo a2enmod rewrite

Next, create a self-signed SSL certificate inside /etc/apache2/ssl directory and fill in information which it will ask. (Note: fqdn = Fully Qualified Domain Name, for example, www.example.com is a fqdn while example.com is not.)

$ mkdir -p /etc/apache2/ssl
$ openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/owncloud.www.example.com.pem -keyout /etc/apache2/ssl/owncloud.www.example.com.key

For more details on this part, refer to Secure Owncloud setup

2. Enforce HTTPS connection and HSTS (Strict-Transport-Security HTTP header)

Edit the /etc/apache2/conf-available/owncloud.conf file. Add the following lines to owncloud.conf file, which redirect port 80 request to port 443 for subdirectory {SERVER_NAME}/owncloud/, and configure the SSL engine and its key path. This example uss IP-based Virtual Hosting in Apache. If you have DNS configured you can set it as name based configuration. The “Strict-Transport-Security” HTTP header is configured to least “15768000” seconds for enhanced security, and it elimintates The "Strict-Transport-Security" HTTP header is not configured warning in ownCloud admin panel.

<VirtualHost *:80>
    RewriteEngine On
    # This will enable the Rewrite capabilities

    RewriteCond %{HTTPS} !=on
    # This checks to make sure the connection is not already HTTPS

    RewriteRule ^/?owncloud/(.*) https://%{SERVER_NAME}/owncloud/$1 [NC,R,L]
    # This rule will redirect all users who are using any part of /secure/ to the same location but using HTTPS.
    # i.e. http://www.example.com/owncloud/ to https://www.example.com/owncloud

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/owncloud.www.example.com.pem
    SSLCertificateKeyFile /etc/apache2/ssl/owncloud.www.example.com.key
    DocumentRoot /var/www/owncloud

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

For more information, see Apache2 Httpd Wiki: HTTP to HTTPS, How to configure self signed SSL certificate in owncloud Ubuntu

3. Use secure ciphers and disable insecure protocols

Some ciphers like RC4 are known for attack-vulnerable, so does old security protocols. In summary, according to Hardening Your Web Server’s SSL Ciphers, we will take care of three things:

1. disable SSL 2.0 (FUBAR) and SSL 3.0 (POODLE),
2. disable TLS 1.0 compression (CRIME),
3. disable weak ciphers (DES, RC4), prefer modern ciphers (AES), modes (GCM), and protocols (TLS 1.2).

The actual setup is very easy, open /etc/apache2/mods-available/ssl.conf and apply the following lines:

# Disable SSLv2 and SSLv3 protocols
SSLProtocol ALL -SSLv2 -SSLv3

# Configure your server to actively select the most desirable suite from the list offered by SSL clients.
SSLHonorCipherOrder On

# Use secure ciphers

If you are unsure which file contains old configurations of the above lines, a grep search would be handy:

$ grep -i -r "SSLProtocol" /etc/apache2

4. Deploy the configurations and restart the Apache2 webserver

$ sudo a2enmod headers
$ sudo a2enconf owncloud.conf
$ sudo service apache2 restart

If, somehow, the apache2 complains about the FQDN like this:

$ sudo service apache2 restart
 * Restarting web server apache2          AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message

you can solve it by editing /etc/apache2/conf.d/fqdn (for Ubuntu 14.04) or /etc/apache2/conf-available/fqdn.conf (for Ubuntu 15.04)

$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
$ sudo a2enconf fqdn
$ sudo service apache2 reload

Now if you open the browser and type the HTTP URL of your ownCloud you will see it redirects to HTTPS automatically. That’s it. All Owncloud connections will use SSL encryption. You also need to modify all desktop and mobile client settings to use HTTPS instead of HTTP when accessing your ownCloud server.

5. Prevent brute-force password hacks

To prevent our ownCloud server from being hacked by brute-force password attacks in its default configuration as it does not enforce timeouts after failed login-attempts, we can use fail2ban to enforce a timeout after a certain number of failed login attempts.

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc. and uses iptables profiles to block brute-force attempts. For more details, see Secure Owncloud Server and Ubuntu Wiki on Fail2ban

Install fail2ban

To install fail2ban, use apt-get and configure fail2ban. Make a ‘local’ copy the jail.conf file in /etc/fail2ban, and edit the file:

$ sudo apt-get install fail2ban
$ sudo nano jail.local 

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking in the [owncloud] section:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 3600
maxretry = 3

enabled  = true
filter   = owncloud
port     = https
logpath  = /var/log/owncloud.log
maxretry = 3

Jail Configuration

Jails are the rules which fail2ban apply to a given application/log. So we need to tell ownCloud to log the failed login attempts. Edit /var/www/owncloud/config/config.php and add:

'logtimezone'	=> '<TIMEZONE>', // e.g. 'Europe/Berlin'
'logfile' 		=> '/var/log/owncloud.log',
'loglevel'		=> '2',

Note that logtimezone must match the clock of your server. Furthermore the webserver user (e.g. www-data) must have write access to the logfile. To verify that logging works, do some failed logins and check /var/log/owncloud.log.

Next create the following filter definition for fail2ban

# Filename: /etc/fail2ban/filter.d/owncloud.conf

failregex   = {	"reqId":".*",
                "message":"Login failed: .*",

Once done, restart fail2ban to put those settings into effect, and we can test it, by trying to log in with wrong password. The 3rd wrong attempt should give you a timeout (for 15 min), and you can get the fail attempt count by

$ sudo /etc/init.d/fail2ban restart
$ fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf

You can also look at iptable rules and find a REJECT rule for the testing IP:

$ iptables -L

target             prot  opt  source     destination
fail2ban-owncloud  tcp   --  anywhere    anywhere    multiport dports https
fail2ban-ssh       tcp   --  anywhere    anywhere    multiport dports ssh

Chain fail2ban-owncloud (1 references)
target     prot opt source               destination
REJECT     all  --  xxx.host.ucla.edu    anywhere  reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Voila! Finally, we successfully configured ownCloud to make it works securely. If you would like to make more customizations, please refer to the newest ownCloud offcial admin manual.

  1. Disabling SSLv3 for POODLE
  2. Mitigate the BEAST attack on TLS
  3. RC4 in TLS is Broken: Now What?
  4. Enabling Perfect Forward Secrecy
Creative Commons License
This work by Zengwen Yuan is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
comments powered by Disqus