Owncloud Security Hardening on Debian

Hardening owncloud folders permissions

Open a terminal

Create a new file

nano ~/config_owncloud_perms

Paste the following into config_owncloud_perms file:

printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets
mkdir -p $ocpath/updater
printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/updater/
chmod +x ${ocpath}/occ
printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
  chmod 0644 ${ocpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
if [ -f ${ocpath}/data/.htaccess ]
  chmod 0644 ${ocpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess

It should be noted that these strong permissions prevent upgrading your ownCloud server; see Setting Permissions for Updating for a script to quickly change permissions to allow upgrading.

Save and exit

Make file executable and run it

chmod +x ~/config_owncloud_perms
cd ~
sudo chmod +x ./config_owncloud_perms

Install fail2ban

sudo apt-get install fail2ban

Create owncloud fail2ban configuration file

sudo nano /etc/fail2ban/filter.d/owncloud.conf

Paste the following contents into owncloud.conf file:

failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}
ignoreregex =

Configure jail file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Append the following data to the jail.local file:

enabled = true
filter  = owncloud
port    =  http,https
logpath = /var/www/owncloud/data/owncloud.log
# optionally whitelist internal LAN IP addresses
ignoreip = x.y.z.n/24

Restart the fail2ban service

sudo service fail2ban restart

Test the configuration

fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v
Categories: Debian Tags: , , ,
%d bloggers like this: