Home Prevent brute force attacks against ownCloud
Post
Cancel

Prevent brute force attacks against ownCloud

Posted Sep 18, 2014
By Chris Hamer
1 min read

Owncloud does not prevent brute forces attacks by itself and a hacker could try thousands of passwords continuously until they crack it.

Fail2ban can be used to prevent this type of attack.

Owncloud does not log failed login attempts by default and therefore /var/www/owncloud/config/config.php needs to be modified.

Add the following to the bottom of config.php, change the timezone to match the server and change the log file to a file of your choice (For security reason do not put the log file in a location the webserver can access).

 'logtimezone' => 'Europe/London',
  'logfile' => '/var/log/owncloudAttack.log',
  'loglevel' => '2',
  'log_authfailip' => true,
);

Next we need to create the log file using nano.

sudo nano /var/log/owncloudAttack.log

We need to ensure owncloud has full permissions on the file using chown.

sudo chown www-data:www-data /var/log/owncloudAttack.log

Try to login with the wrong password and check if anything gets written to the log file.

Install fail2ban from the Ubuntu repos. Once fail2ban has been installed we need to create a local jail file.

We need to create a new filter to scan the log files and match a failed login attempt. Create /etc/fail2ban/filter.d/owncloud.conf
Add the following:

[Definition]
failregex={"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"}
          {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

We need both lines for different versions of owncloud.

Update: ownCloud 8.2

Please use this Definition Regex instead:

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '&lt;HOST&gt;'\)","level":2,"time":".*"}

Create a new file with sudo nano /etc/fail2ban/jail.local
Insert the following:

[owncloud]
enabled = true
filter  = owncloud
port    = https
logpath = /var/log/owncloudAttack.log

*Modify the log path to your chosen log file.*

I modified the default settings in the jail.conf file to enable emails, increase the ban time to 10 hours and decreased the number of login attempts before a ban.

This information was sourced from:

Ubuntu Community
Rojtberg's Blog

technology owncloud Security
This post is licensed under CC BY 4.0 by the author.

If you have found this site useful, please consider buying me a coffee :)

Proud supporter of the Gnome Foundation

Become a Friend of GNOME

Contents

KDE QT appearance keeps changing to GTK theme

Caesar Cipher Decryption Tool in Java

Comments powered by Disqus.