FAIL2BAN blocks access to „.ocdata“ file!
Apache Error Log:
..AH01630: client denied by server configuration: ... cloud/data/.ocdata
create with a Custom Rule for FAIL2BAN do:
$sudo nano /etc/fail2ban/filter.d/apache-auth.local
ignoreregex = nextcloud/data/.ocdata
$sudo service fail2ban restart
tail -f n50 /var/log/apache2/error.log
Sometimes the Login take long time after Enter the Password
this indicates a filled up „oc_bruteforce_attempts“ Table!!
login into mysql:
$mysql -u user -p
show all values from the oc_bruteforce_attempts table, use:
SELECT * FROM oc_bruteforce_attempts;
remove „ALL“ IP’s from the table, do step by step:
DELETE FROM oc_bruteforce_attempts WHERE IP="xxx.xxx.xxx.xxx";
Logout of mysql with exit..
Login into nextcloud as Admin and delete first the App Bruteforce Login cause FAIL2BAN works WITHOUT MYSQL!!
I did a deeper firewall test on my fresh installed OpenWRT Router and activated a „Ads Blacklist“ after this my owncloud Share Login loops!
- Seems that some IP’s of the „Update Check Tool“ Servers, which is installed inside the PHP-Kit is blacklisted.
- So it seems the Code calls home! With this option its possible to count and collect IPs of Setups! Perhaps checkout unpatched Versions!
- I didn’t check deeper, but the behavior was clear without viewing the codes.
After publish this Info via Twitter:
- No Company / Developer works for „free“
- After Setup of PHP-Kits do a IP Firewall Traffic checkout
- If you don’t need the PHP Kit reachable via Internet block the IP Device at your Router from Internet Access!
- Prefer Standard Tools like SFTP/SCP with Key Auth to transfer Files, less unsecure cause only one application active!!
- PHP Kits Logins can often be scanned by Search Indexes by „Search by Title“ of the Login Webinterface!!
For me i decided to purge the package and use System Standard Tool „SFTP with SSH Key Auth“ and on my Phone a Totalcommander with SFTP Plugin!
If you are current using Nextcloud / Owncloud or other PHP-Kits for File Handling you should know these remarks:
Based on this Article
You must know:
- Details of Security about your current used PHP Versions (7.X)
- Details of your used Database Version (MySQL..)
- Details of hardened OS and Webserver Version (Apache,Firewall,fail2ban,file policys, selinux, apparmor filter)
- See ALWAYS PHP-Kits of opensource with the trust of NON HARDENED SOFTWARE (prefer NON-PUBLIC ACCESS)
- You can ACCESS this Software thru SSH TUNNELS with a local running non-caching PROXY (privoxy)
- Use the SSH Tunnels on unknown Ports and Login via Key Files which must be unlocked by LONG PASSWORDS
- Public ACCESS is ALWAYS a RISK if YOU didn’t have the KNOWLEDGE of the SOURCE CODE!
Howto read here
Current the acd_cli tool for amazon drive mount offers no „fsid“ (device /dev) point, that you cant export and share the amazon drive at your home local network.
On the latest raspberry pi OS (jessie) you can use a small workaround to get a NFS Shared Amazon Cloud Backup Uploader (needs python3.4 !)
If you now put files on the /sendtoamazon nfs share from a PC, the raspberry pi will grab and push it into the cloud via the „acd_cli mount“ a python3 script, remark 10 minutes is ok for small files! on bigger files use over „40“ minutes between pushes. If acd_cli fails check for correct python version! and last python modules!!! (python3-appdirs python3-dateutil python3-requests python3-sqlalchemy python3-pip pip3)
If you have a SMALL BANDWITH for upload you can use „rsync -avz“ instead mv (move) with „throttle“ option to upload files slowly!!
Howto acd_cli for amazon mount on git
If you want to use a private secure owncloud (WebDAV Space Server) as Backup for all your devices you can harden the access thru a openssh Login with key auth and a squid as relay.
- Install apache2, php5, mysql-Server, openssh, squid3
- config Apache2 to listen on https://localhost:443
- setup squid3 and config the Proxy to listen only on localhost:3128
- install owncloud to /var/WWW with forced „https“ settings at the config.php
- create ssh-keys to auth with password protected key to the SSH Server
If done, you can access the private Backup-Server via a Terminal/ Putty with the Tunneling Options
- $ssh -L 3128:localhost:3128 firstname.lastname@example.org
- Open your Browser on your Client/PC with enabled Proxy usage = localhost 3128
- Connect the WebDAV by the URL https://localhost/ the owncloud Login should be displayed! Same with the WebDAV URL possible!
Advantage? You have a two factor protected Owncloud Access, with encryption inside a encrypted SSH Tunnel! Nobody should see files which are transmitted! Thats a tube inside a tube ..
If you are looking for a Cloud based Office Solution you should take a closer look on the Open Source Software „oneye“ (commercial version of eyeos)
All you need is a cloud served or home hosted LAP Webserver (Linux/Unix, Apache, PHP5 Server) NO Database required!
+ Weboffice with Word, Excel, Mail Client POP+IMAP, Spreadsheet
+ Internal Message System for User Chat INTERNAL ONLY
+ FTP UP/DOWNLOAD, PHP UP/DOWNLOAD
+ Desktop on Server Hardware possible with Raid, and full Backups! (possible nightly cron job folder to tar)
+ Reachable Office over Internet without any Apps installed! Every Browser Supported!
+ If home served under YOUR Controll!!
+ https let you get Safety!
+ Reachable by IP and Domainname from internal and external Network!
+ easy to Setup and easy to BACKUP!
+ can replace a Google Office or other commercial Product
+ can be integrated into GROUPOFFICE !!!
+ can be protected by SSH TUNNEL! needs a localhost listening squid Proxyserver!
More Safety you wont find on the internet…
Do you need help to setup? then mail me..
Dont forget to donate the oneye developer… thats hard work for freedom
oneye Web based Desktop