How secure is ownCloud? As with most stable software, the answer depends on how well you protect your instance against ownCloud security issues. There are many ownCloud vulnerabilities listed in the National Vulnerability Database (NVD). Fortunately, there are many countermeasures you can implement to protect your ownCloud server from these and server level cyber intrusions.
If you don’t take such measures, cyber criminals will have a much larger cyber attack surface to hack ownCloud and potentially your cloud server. This is a step-by-step guide for hardening ownCloud, your Linux server, and your personal devices used to work with ownCloud.
- ownCloud Security
- ownCloud Server Security Improvements
- Secure Web Activity
ownCloud Security Apps
ownCloud apps can be installed by using the ownCloud dashboard, terminal, and server management software including cPanel. The ownCloud marketplace has a category dedicated to security apps. There are five that we recommend starting off.
Password Policy forces users to create strong passwords and change them periodically to protect against brute force attacks. It is the fastest way to start mitigating password attacks. Require lowercase letters, uppercase letters, numbers, and special characters. Ensure users can’t bounce between the same two or three passwords throughout a year.
Side note: educate your team on the importance of proper password management and how easy it is to fall victim to dictionary attacks. Suggest teammates check if their email accounts or favorite passwords were included in any data breaches collected at Haveibeenpwned.com. Recommend they use a password manager (1Password, KeePass, etc.) instead of their web browser for storing user credentials.
Brute-Force Protection does one simple thing: temporarily bans IP addresses after a specified number of failed login attempts. As a result, it grants ownCloud brute force protection from more unauthorized login attempts and encourages better password management in authorized members.
Warn your team about the lockout feature to prevent someone from getting locked out during a time-sensitive project.
Antivirus integrates your ownCloud instance with ClamAV, a popular Linux antivirus (AV) scanner, on the same server or an external system. Any file uploaded to ownCloud is forcibly scanned for malware and rejected if a malicious signature is detected.
A recent update enables you to connect the ownCloud Antivirus app with any AV scanner using the Internet Content Adaptation Protocol (ICAP).
cPanel system administrators can install ClamAV for ownCloud 9.1 and above with a cPanel plugin of the same name. For those searching for a Linux malware scanner, the ease in which you can integrate it with so many other applications supports claims for ClamAV being the best antivirus for Linux.
Checksum produces SHA512, CRC32, and MD5 checksums at the click of a button. It isn’t an ownCloud encryption app. Comparing checksums is a fast, effective method for ensuring a file:
- Hasn’t changed since you last edited it
- Wasn’t corrupted between transferring backups between ownCloud and an external hard drive or other location
It’s called integrity checking. Basic usage: run a checksum of the file in ownCloud. Use a PC application to run the local file through the same cryptographic algorithm – SHA512, MD5, etc. The command line interface (CLI), also known as a terminal or command prompt, may seem intimidating to some. But it is the fastest, secure method on local machines. The software is already installed. It is easiest to open a terminal from the file folder and use the command for your operating system type.
Replace “file.txt” with your full filename.
certutil -hashfile file.txt sha512
shasum -a 512 file.txt
Linux and BSD:
The file checksum from both locations should match exactly. Otherwise, at least one was either edited, corrupted, or infected.
Two or multi-factor authentication (TFA/MFA) comes in many forms. 2-Factor Authentication uses the tried and true QR code and mobile device combination. It’s the best method for smaller teams. Duo Two-Factor Provider, OpenID Connect, and privacyIDEA Two Factor Authentication are enterprise solutions.
Before implementing ownCloud 2FA, you must ensure that everyone has the capability to scan a QR code.
File Firewall is an ownCloud Enterprise app for file access per group ID, IP address, and more.
ownCloud Configuration Files
ownCloud server configuration files offer additional ways to control how ownCloud uses encryption to protect your data.
In the Settings > General section you might see the ownCloud strict transport security notification. Your SSL certificate allows access to your website with an encrypted (HTTPS) connection. The 301 redirect created within your web server or website forces HTTP connections to use HTTPS instead. While great to have, protocol downgrade cyber attacks can bypass this with enough effort.
HTTP Strict Transport Security (HSTS) adds depth to your SSL 301 redirect for better protection. The security HTTP header forces browsers to only request encrypted connections from your domain. To add HTTP Strict Transport Security in ownCloud you’ll need to edit your .htaccess (for Apache) or other web server configuration file .
ownCloud wants the header set to last 15552000 seconds, or 180 days. In Apache you’ll need to add the following in the server VirtualHost file with
<VirtualHost *:443> or .htaccess file under
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####.
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
If you have subdomains under your ownCloud domain without an SSL certificate, remove
includeSubDomains from the code above.
You can use Observatory.Mozilla.org to check the security HTTP headers on your ownCloud server.
ownCloud Server Security Improvements
Server Security Applications
Use strong passwords for Account Management Panel (AMP), cPanel, and all other user credentials for your Linux server hosting.
Close unneeded ports in your firewall to reduce the effects of denial-of-service (DOS) attacks. ConfigServer Security & Firewall (CSF), Firewalld, and UncomplicatedFirewall (UFW) are the most popular applications right now. InMotion dedicated server administrators can request a Cisco Adaptive Security Appliance (ASA) 5500-X series firewall for superior brute-force protection.
Anti-virus (AV) scanning should be automated and results should be audited regularly. We covered ClamAV above. cPanel server administrators may prefer ImunifyAV for more features in WebHost Manager (WHM).
Keep PHP updated. If you have VPS hosting with root access, uninstall older PHP versions you don’t need.
Other Server Hardening Information
There may be hardening guides for your operating system and server administration suite. If you have further questions about securing your Linux server hosting, contact Live Support directly.
Secure Web Activity
Securing Personal Devices
Strong passwords and passphrases are important for maintaining access control on computers and mobile devices.
A strict firewall and AV scanner should be configured on your PC and smartphone.
Uninstall software you no longer use. If you only use an app for one reason, there’s a good chance you already have another app that can accomplish the same task.
Is ownCloud secure now? Run an ownCloud security audit on your Linux server with some enterprise grade security tools mentioned above to find out. Contact Live Support directly with further questions about securing your ownCloud server hosting
Learn more from our ownCloud Education Channel.