I did a deeper firewall test on my fresh installed OpenWRT Router and activated a „Ads Blacklist“ after this my owncloud Share Login loops!
- Seems that some IP’s of the „Update Check Tool“ Servers, which is installed inside the PHP-Kit is blacklisted.
- So it seems the Code calls home! With this option its possible to count and collect IPs of Setups! Perhaps checkout unpatched Versions!
- I didn’t check deeper, but the behavior was clear without viewing the codes.
After publish this Info via Twitter:
- No Company / Developer works for „free“
- After Setup of PHP-Kits do a IP Firewall Traffic checkout
- If you don’t need the PHP Kit reachable via Internet block the IP Device at your Router from Internet Access!
- Prefer Standard Tools like SFTP/SCP with Key Auth to transfer Files, less unsecure cause only one application active!!
- PHP Kits Logins can often be scanned by Search Indexes by „Search by Title“ of the Login Webinterface!!
For me i decided to purge the package and use System Standard Tool „SFTP with SSH Key Auth“ and on my Phone a Totalcommander with SFTP Plugin!
If you are current using Nextcloud / Owncloud or other PHP-Kits for File Handling you should know these remarks:
Based on this Article
You must know:
- Details of Security about your current used PHP Versions (7.X)
- Details of your used Database Version (MySQL..)
- Details of hardened OS and Webserver Version (Apache,Firewall,fail2ban,file policys, selinux, apparmor filter)
- See ALWAYS PHP-Kits of opensource with the trust of NON HARDENED SOFTWARE (prefer NON-PUBLIC ACCESS)
- You can ACCESS this Software thru SSH TUNNELS with a local running non-caching PROXY (privoxy)
- Use the SSH Tunnels on unknown Ports and Login via Key Files which must be unlocked by LONG PASSWORDS
- Public ACCESS is ALWAYS a RISK if YOU didn’t have the KNOWLEDGE of the SOURCE CODE!
Howto read here
If you want to use a private secure owncloud (WebDAV Space Server) as Backup for all your devices you can harden the access thru a openssh Login with key auth and a squid as relay.
- Install apache2, php5, mysql-Server, openssh, squid3
- config Apache2 to listen on https://localhost:443
- setup squid3 and config the Proxy to listen only on localhost:3128
- install owncloud to /var/WWW with forced „https“ settings at the config.php
- create ssh-keys to auth with password protected key to the SSH Server
If done, you can access the private Backup-Server via a Terminal/ Putty with the Tunneling Options
- $ssh -L 3128:localhost:3128 email@example.com
- Open your Browser on your Client/PC with enabled Proxy usage = localhost 3128
- Connect the WebDAV by the URL https://localhost/ the owncloud Login should be displayed! Same with the WebDAV URL possible!
Advantage? You have a two factor protected Owncloud Access, with encryption inside a encrypted SSH Tunnel! Nobody should see files which are transmitted! Thats a tube inside a tube ..