Tag: ownCloud
Migrate ownCloud to Nextcloud and protect it against brute force attacks with fail2ban
Here is what I have done to migrate my ownCloud installation to Nextcloud. My installation is configured with the data directory outside of the webservers document root. To my surprise, the process was simple and painless.
- First, I have updated my ownCloud installation to version 9.0.2, which I think is the newest BETA version, via the updater app.
- Then I have made a full backup of the MySQL database via mysqldump and a full backup of the domains directory structure with tar (because of its size via sshfs to another server with sufficient space). There are howtos which are recommending exporting calendars and contacts prior to the migration, but I did not see what it should be good for after a full backup (and I do have filesystem snapshots on top of that).
- The next step was to delete everything in the ownCloud installation directory but /config, /data (and the /data direcory outside the document root of course) and /themes.
- After that I have extracted the Nextcloud 9.0.52 release ZIP just over what was left of my installation and then I have changed owner and group of the extracted files to the run user and group of the domain.
- Now it’s been time to point my browser to the GUI of the new Nextcloud installation and just walk through the steps.
- To finalize the migration I had to reactivate the calendar and contacts app.
To tighten the security of my Nextcloud installation a little, I have configured fail2ban to react on failed login attempts.
First you have to tell Nextcloud that you want to write a log file in /path/to/Nextcloud/config/config.php
<?php $CONFIG = array ( 'instanceid' => 'SECRET', 'passwordsalt' => 'SECRET', 'secret' => 'SECRET', 'trusted_domains' => array ( 0 => 'SECRET', 1 => 'SECRET', 2 => 'SECRET', 3 => 'SECRET', ), 'datadirectory' => '/path/to/owncloud-data/', 'overwrite.cli.url' => 'SECRET', 'dbtype' => 'SECRET', 'version' => 'SECRET', 'dbname' => 'SECRET', 'dbhost' => 'SECRET', 'dbtableprefix' => 'SECRET', 'dbuser' => 'SECRET', 'dbpassword' => 'SECRET', 'installed' => true, 'maintenance' => false, 'theme' => '', 'logfile' => '/var/log/nextcloud.log', 'loglevel' => 2, 'appstore.experimental.enabled' => true, 'mail_smtpmode' => 'smtp', 'mail_from_address' => 'SECRET', 'mail_domain' => 'SECRET', 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpauth' => 1, 'mail_smtphost' => 'SECRET', 'mail_smtpport' => '587', 'mail_smtpname' => 'SECRET', 'mail_smtppassword' => 'SECRET', 'mail_smtpsecure' => 'tls', 'htaccess.RewriteBase' => '/', );
The next thing to do is to configure a filter definition /etc/fail2ban/filter.d/nextcloud.conf to tell fail2ban how to find IP-Adresses to ban:
[Definition] failregex = ^.*\"remoteAddr\":\"<HOST>\".*Login failed:.*$
Then you have to add a jail definition to /etc/fail2ban/jail.local (yep, I know that I have long bans)
[nextcloud] enabled = true logpath = /var/log/nextcloud.log port = http,https filter = nextcloud banaction = iptables-allports maxretry = 3
You can test your configuration with these commands:
fail2ban-regex /var/log/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/nextcloud.conf Use log file : /var/log/nextcloud.log Results ======= Failregex |- Regular expressions: | [1] ^.*\"remoteAddr\":\"\".*Login failed:.*$ | `- Number of matches: [1] 10 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] XXX.XXX.XXX.171 (Sun Jul 03 02:59:39 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:00:31 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:06:27 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:12:02 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:12:24 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:12:26 2016) XXX.XXX.XXX.171 (Sun Jul 03 03:12:29 2016) XXX.XXX.XXX.119 (Sun Jul 03 03:15:50 2016) XXX.XXX.XXX.119 (Sun Jul 03 03:15:58 2016) XXX.XXX.XXX.119 (Sun Jul 03 03:16:05 2016) Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Year.Month.Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 67 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 10 However, look at the above section 'Running tests' which could contain important information.
and
fail2ban-client status nextcloud
Status for the jail: nextcloud |- filter | |- File list: /var/log/nextcloud.log | |- Currently failed: 0 | `- Total failed: 3 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 1