OWNCLOUD security concern

1. offizieller Beitrag

    hi all,


    I'm testing OWNCLOUD quite successfully on a virtualbox OMV machine, running within my office workstation. It's intended to be used especially for project documents and team management. I redirected the router web doors to the VM and all team members are now easily accessing it from wherever, for documents sharing.
    Ideally it should now be moved to the office's OMV server, but I'm concerned about exposing the office file server to external access. to gain http://my-ip/owncloud/index.php access I'll have to expose http://my-ip/ that is actually OMV login page! any suggestion?


    many thanks


    Luigi

    Your OMV is as safe as your password.


    Not long ago there was no Owncloud plugin. We installed it via the install script from ryecoaaron.
    http://forums.openmediavault.o…1848&hilit=owncloud+alias
    There were two versions. One alias based and one port based. So you´ve been able to forward just the owncloud port.
    But the first point speaks for itself: "I RECOMMEND USING THE OFFICIAL PLUGIN INSTEAD OF THIS SCRIPT"


    Since I don´t use the new owncloud plugin, maybe someone can say if it is possible to set the new owncloud plugin to use ports instead of an alias?

    • Offizieller Beitrag

    The plugin can only be installed as an alias. When I first created the script, I created the port-based first so the OMV web interface didn't have to be internet accessible. Lots of people wanted an alias-based script. So, I created it. I don't think there is a problem with having the OMV web interface on the internet. I just didn't need it to be internet accessible :) So, I agree with WastlJ.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Aaron only edited the note to his thread because of the Plugin. It doesn't say how good or bad the installer is/was. It may still be good for some people so...


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    • Offizieller Beitrag
    Zitat von "davidh2k"

    Aaron only edited the note to his thread because of the Plugin. It doesn't say how good or bad the installer is/was. It may still be good for some people so...


    and because the plugin integrates with OMV's user list. I think this is a nice feature. Other than that, I would say there is very little difference between the plugin and the script.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Dear friends,


    thanks for the comments. My concern about security is pretty basic: not knowing how to actively protect my data server from a potential hacking risk, I'd not expose it to external access. If I was a security expert I imagine I would not even use OMV and it's plugins to deploy my server, so I think my problem is a general problem for most of the OMV potential users, not so different from a normal say "Synology costumer"... Am I wrong?
    I'm stuck... I wished there were at least a simple IP-Blocker... I have so far 2 options: a) install a OMV VM inside server OMV, b) go back to the Port-based Installer - access SCRIPT. Is it still viable?


    many many thanks for any suggestion


    luigi

    • Offizieller Beitrag
    Zitat von "alice_unchained"

    If I was a security expert I imagine I would not even use OMV and it's plugins to deploy my server.


    Why not? OMV can be secured just like a Debian server setup from scratch.


    Zitat von "alice_unchained"

    I wished there were at least a simple IP-Blocker


    OMV does have a firewall and I'm pretty sure you can make firewall rules to block IPs. Otherwise, put it behind a router and only open the ports (80?) you need.


    Zitat von "alice_unchained"

    go back to the Port-based Installer - access SCRIPT. Is it still viable?


    It still works the same. The plugin hasn't changed anything other than you can't run the script and plugin at the same time.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat von "alice_unchained"

    I wished there were at least a simple IP-Blocker...


    As ryecoaaron already mentioned, OMV has a firewall. And maybe in the future there will be a plugin called "fail2ban" which blocks IP adresses automatically who try to log on to your OMV too often.
    Btw. you can vote for "fail2ban" here, if you haven´t already:
    http://forums.openmediavault.org/viewtopic.php?f=13&t=3393


    So in your case I would install the Owncloud Port based script I linked before. Then you can simply forward just the Owncloud port.

    Zitat von "WastlJ"

    As ryecoaaron already mentioned, OMV has a firewall. And maybe in the future there will be a plugin called "fail2ban" which blocks IP adresses automatically who try to log on to your OMV too often.
    Btw. you can vote for "fail2ban" here, if you haven´t already:
    http://forums.openmediavault.org/viewtopic.php?f=13&t=3393


    So in your case I would install the Owncloud Port based script I linked before. Then you can simply forward just the Owncloud port.


    WastlJ,
    many thanks for pointing me in the right direction, I definitely voted for "fail2ban": really looking forward to have it up and running (maybe I should install it anyway...) I had something similar once on a NAS and it was scary to realize it was actually useful, used to get 1/2 reported bans per month (!!!!). I wouldn't know how to use the internal firewall to perform such a protection...
    Definitely I'll try the script again on a second VM to compare. first time I did I used to have a 20 mb limit error but I think this can be solved.
    thanks again, very much appreciated


    Luigi

    Zitat von "ryecoaaron"


    Why not? OMV can be secured just like a Debian server setup from scratch.



    OMV does have a firewall and I'm pretty sure you can make firewall rules to block IPs. Otherwise, put it behind a router and only open the ports (80?) you need.



    It still works the same. The plugin hasn't changed anything other than you can't run the script and plugin at the same time.


    Ryecoaaron, thanks for the advise, ASAP I'll test a second VM with Port-based access.
    support really appreciated


    Luigi

    Zitat von "Dennis"

    As you know, I'm more on a user-side. What about VPN? Are you a single-user?


    Dennis, I thought about VPN too, but I'm really planning to use OWNcloud to give different access rights to internal and external team members, where on different projects each one has different access/upload/read rights. I really like the idea that people with read rights can access via whatever piece of IT, more likely ipads...
    Team members are in different continents, I just want to provide URL+User+Pwd, definitely not planning to have externals to enter via VPN.


    nice try though, thanks, all suggestions are appreciated


    regards


    Luigi

    I use the following trick to seperate omv, oc. With the following change, https://<hostip> only show apache welcome page, it works. https://<hostip>/alias_opermediavault will show omv login page. https://<hostip>/alias_owncloud will show owncloud login page.
    1. change Default.conf in in /etc/apache2/openmediavault-webgui.d
    DocumentRoot /var/www (also change directory /var/www/openmediavault/ to /var/www/)
    DirectoryIndex index.html
    keep the rest unchanged.
    2.create a file openmediavault.conf in the same folder.
    <IfModule mod_alias.c>
    Alias /openmediavault /var/www/openmediavault/
    </IfModule>
    <Directory /var/www/openmediavault/>
    Options FollowSymLinks
    <FilesMatch \.php$>
    FcgidWrapper /var/www/openmediavault/php-fcgi .php
    SetHandler fcgid-script
    Options +ExecCGI
    </FilesMatch>
    Order Allow,Deny
    Allow from All
    AllowOverride All
    </Directory>
    DirectoryIndex index.php


    Fail2ban is defintely worthy to install on the OMV but doesn't have to be omvplugin because plugin is easy to install but sometimes doesn't work very well. For example is omv-ldap plugin. It never works to me. I have to use winbind+krb5 to get domain users in ACL.


    Another example I setup ldap inside Owncloud, everytime I change plugin setting such as shared folder of Owncloud. The ldap configuration will lost and I have to reconfigure ldap in Owncloud. On the hand owncloud plugin present storage on nas to Owncloud just by couple click. So I still say OMV is very good and promising NAS software.

    If you want it really secured then put it behind a firewall like pfsense and only use openvpn to connect to openmediavault. So no openvpn keys no connection to your box. This would protect the whole server. This method is very secure. You can keep your vpn keys on a usb key. If you loose your usb stick then change your keys.

    Zitat von "Cpoc"

    If you want it really secured then put it behind a firewall like pfsense and only use openvpn to connect to openmediavault. So no openvpn keys no connection to your box. This would protect the whole server. This method is very secure. You can keep your vpn keys on a usb key. If you loose your usb stick then change your keys.


    Cploc, thanks for the idea.


    If I used openVPN I'd not need OWNcloud in the first place, I'm planning to use it to give access via https:// to external project members. I'm actually thinking of keeping it on a VM and having it to rsync to the server.


    ciao


    Luigi

    To secure my OwnCloud &OMV while giving external users access to OC i have installed OC on a virtual machine runnning on my OMV box. The OC virtual machine has it's own IP through a bridget interface on the OMV host. The OC servers Ip address is portforward in my router. No portforwarding of the OMV ip address


    I have used my KVM howto to install OC as a VM:
    http://forums.openmediavault.org/viewtopic.php?f=13&t=2417
    The VM is an ordinary Wheeezy headless server with OC and iRedMail


    To further enhance i have installed OC data dir outside the www-data path.
    The OC VM accesses the personal OMV shares through NFS protocol. I can post the complete setup if you are interested.


    I know that i through this setup looses some speed in OC but i have complete security separation between my public (OC & iRedMail) and my non-public (OMV) install.


    I've done pretty much the exact same for ownCloud, Subsonic, VPN and Mozilla Sync server though I've even taken it a step further by creating a DMZ for any internet facing services I run at home with a 10 IP isolated VLAN. Zero access TO any LAN node FROM those VM's/VLAN (except VPN with HMAC auth). My devices that leave LAN connect through DynDNS hostname which works both on LAN and from WAN.

    thanks all for the help,


    my testing of Owncloud is getting really frustrating, as it get slower and slower... has anyone experienced a vertical decrease in performance of OC only as I'm now? strange is that OMV doesn't seem to be affected, web interface is responsive as normal, while the PC interface is sooo lagggy....


    luigi

    Was using owncloud only for a few months (but not the plugin, just Aarons install script). Did not notice any speed decreases.


    Did you try to reboot your server? Is the speed "normal" then?

    Einmal editiert, zuletzt von davidh2k () aus folgendem Grund: Aarons, not Solos script... ^^

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden