1

I am not literate when it comes to servers, but I like the idea of having my own cloud storage for privacy reasons. OwnCloud is targeting (at least a little bit) the "DIY-home-user" so it seemed to be worth a try. After some hours I managed to have a working OwnCloud server that is accessible from the internet.

Now that everyone can access it from anywhere I should probably start thinking about security. Not that there is very sensitive data on this server or there is a concrete threat. But I would like to cover the most obvious vulnerabilities because it is in the home network. So far I have scanned it with nmap and nikto. The output generated seems to be as expected.

Are there other important measures I can take to have a decent level of security?

My setup

  • OS: Raspberry Pi 2 with Raspbian
  • Server: Nginx and self generated 2048-bit SSL-Certificate
  • DB: MySQL
  • Cloud Software: OwnCloud 8
TomTom
  • 129
  • 1
  • 1
  • 4
  • If you are "not literate when it comes to servers", you are far more likely to expose yourself to privacy issues by running things yourself than by using a service that is run by professionals. – EEAA Apr 08 '15 at 19:28
  • I would agree if the data was very sensitive or there I was a concrete threat. But it is a personal storage and I need the server for other things as well. So I am willing to take the risk! – TomTom Apr 08 '15 at 19:37
  • This might be of interest: https://www.cvedetails.com/vulnerability-list/vendor_id-11929/product_id-22262/Owncloud-Owncloud.html — and these are only the officially documented ones. – ccpizza Apr 08 '18 at 19:42

1 Answers1

4

In general, running your own open-source cloud storage solution will be far less secure than any industry-standard service. Think of it this way, those companies have entire teams of people dedicated to nothing but securing their product, and they still make mistakes...

That said, if you just want to do your best while swallowing the risk, here is some guidance that will get you in a better position:

  1. Run your owncloud box in a DMZ, not directly in your home network. It will still be accessible to both internet and LAN, but when it gets pwned your home network won't be compromised.
  2. Use complex passwords, or (better) key-based authentication for every account and EVERY service (MySQL is a huge attack vector).
  3. Change all software/service ports to non-standard ones and configure software appropriately.
  4. If possible, use iptables to block connections from everywhere except trusted IPs. This partially defeats the accessible-from-anywhere aspect of a cloud solution, but drastically improves security.
  5. Install log/file monitoring solutions like fail2ban, rkhunter, OSSEC so you know when/if your box gets pwned.
  6. Encrypt all your data.
jlehtinen
  • 1,958
  • 2
  • 13
  • 15
  • Interesting I haven't thought about DMZ. At the moment it is just port forwarded. Are we talking about whole disk encryption or just a folder? – TomTom Apr 08 '15 at 20:17
  • @TomTom It's your call on how you encrypt it. At minimum, encrypt your personal data. On a Pi, you might take a big performance hit if entire system is encrypted. – jlehtinen Apr 08 '15 at 20:27