Owncloud Security Hardening on Debian

Datetime:2016-08-23 01:51:03          Topic: Debian           Share

Hardening owncloud folders permissions

Open a terminal

Create a new file

nano ~/config_owncloud_perms

Contents

Paste the following into config_owncloud_perms file:

#!/bin/bash
ocpath='/var/www/owncloud'
htuser='www-data'
htgroup='www-data'
rootuser='root'
 
printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets
mkdir -p $ocpath/updater
 
printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
 
printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/
 
chmod +x ${ocpath}/occ
 
printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
 then
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
 then
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi

It should be noted that these strong permissions prevent upgrading your ownCloud server; see Setting Permissions for Updating for a script to quickly change permissions to allow upgrading.

Save and exit

Make file executable and run it

chmod +x ~/config_owncloud_perms
cd ~
sudo chmod +x ./config_owncloud_perms

Install fail2ban

sudo apt-get install fail2ban

Create owncloud fail2ban configuration file

sudo nano /etc/fail2ban/filter.d/owncloud.conf

Paste the following contents into owncloud.conf file:

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}
 
ignoreregex =

Configure jail file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Append the following data to the jail.local file:

[owncloud]
enabled = true
filter  = owncloud
port    =  http,https
logpath = /var/www/owncloud/data/owncloud.log
# optionally whitelist internal LAN IP addresses
ignoreip = x.y.z.n/24

Restart the fail2ban service

sudo service fail2ban restart

Test the configuration

fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v




About List