How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part II)
02 Feb 2016In this blog, we will discuss some of the security measures for the connection and the login to the ownCloud server. The previous blog post is How to Set Up OwnCloud on Ubuntu 14.04 LTS Server (Part I).
The ownCloud manual suggests:
Using ownCloud without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM) attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always use HTTPS on production servers, and to never allow unencrypted HTTP.
We will use a self-signed certificate, and force (redirect) all unencrypted HTTP traffic to encrypted HTTPS. We will explicitly request to use the more secure SHA-256 hasing during certificate creation. This includes the following steps:
1. Enable OpenSSL on the server and create SSL certificates
First, install OpenSSL in server and enable the ssl and rewrite module in Apache2
$ sudo apt-get install openssl
$ sudo a2enmod ssl
$ sudo a2enmod rewriteNext, create a self-signed SSL certificate inside /etc/apache2/ssl directory and fill in information which it will ask. (Note: fqdn = Fully Qualified Domain Name, for example, www.example.com is a fqdn while example.com is not.)
$ mkdir -p /etc/apache2/ssl
$ openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/owncloud.www.example.com.pem -keyout /etc/apache2/ssl/owncloud.www.example.com.keyFor more details on this part, refer to Secure Owncloud setup
2. Enforce HTTPS connection and HSTS (Strict-Transport-Security HTTP header)
Edit the /etc/apache2/conf-available/owncloud.conf file. Add the following lines to owncloud.conf file, which redirect port 80 request to port 443 for subdirectory {SERVER_NAME}/owncloud/, and configure the SSL engine and its key path. This example uss IP-based Virtual Hosting in Apache. If you have DNS configured you can set it as name based configuration. The “Strict-Transport-Security” HTTP header is configured to least “15768000” seconds for enhanced security, and it elimintates The "Strict-Transport-Security" HTTP header is not configured warning in ownCloud admin panel.
<VirtualHost *:80>
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?owncloud/(.*) https://%{SERVER_NAME}/owncloud/$1 [NC,R,L]
# This rule will redirect all users who are using any part of /secure/ to the same location but using HTTPS.
# i.e. http://www.example.com/owncloud/ to https://www.example.com/owncloud
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/owncloud.www.example.com.pem
SSLCertificateKeyFile /etc/apache2/ssl/owncloud.www.example.com.key
DocumentRoot /var/www/owncloud
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
</VirtualHost>For more information, see Apache2 Httpd Wiki: HTTP to HTTPS, How to configure self signed SSL certificate in owncloud Ubuntu
3. Use secure ciphers and disable insecure protocols
Some ciphers like RC4 are known for attack-vulnerable, so does old security protocols. In summary, according to Hardening Your Web Server’s SSL Ciphers, we will take care of three things:
1. disable SSL 2.0 (FUBAR) and SSL 3.0 (POODLE),
2. disable TLS 1.0 compression (CRIME),
3. disable weak ciphers (DES, RC4), prefer modern ciphers (AES), modes (GCM), and protocols (TLS 1.2).
The actual setup is very easy, open /etc/apache2/mods-available/ssl.conf and apply the following lines:
# Disable SSLv2 and SSLv3 protocols
SSLProtocol ALL -SSLv2 -SSLv3
# Configure your server to actively select the most desirable suite from the list offered by SSL clients.
SSLHonorCipherOrder On
# Use secure ciphers
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSSIf you are unsure which file contains old configurations of the above lines, a grep search would be handy:
$ grep -i -r "SSLProtocol" /etc/apache24. Deploy the configurations and restart the Apache2 webserver
$ sudo a2enmod headers
$ sudo a2enconf owncloud.conf
$ sudo service apache2 restartIf, somehow, the apache2 complains about the FQDN like this:
$ sudo service apache2 restart
* Restarting web server apache2 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this messageyou can solve it by editing /etc/apache2/conf.d/fqdn (for Ubuntu 14.04) or /etc/apache2/conf-available/fqdn.conf (for Ubuntu 15.04)
$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
$ sudo a2enconf fqdn
$ sudo service apache2 reloadNow if you open the browser and type the HTTP URL of your ownCloud you will see it redirects to HTTPS automatically. That’s it. All Owncloud connections will use SSL encryption. You also need to modify all desktop and mobile client settings to use HTTPS instead of HTTP when accessing your ownCloud server.
5. Prevent brute-force password hacks
To prevent our ownCloud server from being hacked by brute-force password attacks in its default configuration as it does not enforce timeouts after failed login-attempts, we can use fail2ban to enforce a timeout after a certain number of failed login attempts.
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc. and uses iptables profiles to block brute-force attempts. For more details, see Secure Owncloud Server and Ubuntu Wiki on Fail2ban
Install fail2ban
To install fail2ban, use apt-get and configure fail2ban. Make a ‘local’ copy the jail.conf file in /etc/fail2ban, and edit the file:
$ sudo apt-get install fail2ban
$ sudo nano jail.local Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking in the [owncloud] section:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 3600
maxretry = 3
[owncloud]
enabled = true
filter = owncloud
port = https
logpath = /var/log/owncloud.log
maxretry = 3Jail Configuration
Jails are the rules which fail2ban apply to a given application/log. So we need to tell ownCloud to log the failed login attempts. Edit /var/www/owncloud/config/config.php and add:
'logtimezone' => '<TIMEZONE>', // e.g. 'Europe/Berlin'
'logfile' => '/var/log/owncloud.log',
'loglevel' => '2',
...Note that logtimezone must match the clock of your server. Furthermore the webserver user (e.g. www-data) must have write access to the logfile. To verify that logging works, do some failed logins and check /var/log/owncloud.log.
Next create the following filter definition for fail2ban
# Filename: /etc/fail2ban/filter.d/owncloud.conf
[Definition]
failregex = { "reqId":".*",
"remoteAddr":"<HOST>",
"app":"core",
"message":"Login failed: .*",
"level":2,
"time":".*",
}Once done, restart fail2ban to put those settings into effect, and we can test it, by trying to log in with wrong password. The 3rd wrong attempt should give you a timeout (for 15 min), and you can get the fail attempt count by
$ sudo /etc/init.d/fail2ban restart
$ fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.confYou can also look at iptable rules and find a REJECT rule for the testing IP:
$ iptables -L
target prot opt source destination
fail2ban-owncloud tcp -- anywhere anywhere multiport dports https
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain fail2ban-owncloud (1 references)
target prot opt source destination
REJECT all -- xxx.host.ucla.edu anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhereVoila! Finally, we successfully configured ownCloud to make it works securely. If you would like to make more customizations, please refer to the newest ownCloud offcial admin manual.
