dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1234

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

OwnCloud

said by »owncloud.org/ :

ownCloud provides universal access to your files via the web, your computer or your mobile devices — wherever you are.
It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web.

I just installed OwnCloud on my Ubuntu 12.04 server and put the client on my work machine and Android phone.

I was never super-comfortable with using Dropbox or Ubuntu One for my file sync for two reasons.

1) Syncing the amount of files I would like to sync is cost prohibitive.
2) NSA

With OwnCloud I can now sync everything to MY server, which I control. Setup was pretty straight forward once I found the guide at »www.davelachapelle.ca/gu ··· p-guide/

The only thing I have left is to mount my large storage drive to the proper location and migrate my synced files from other providers to this.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thank you. Looks interesting

Salty_Peaks
@quadranet.com

Salty_Peaks to Maxo

Anon

to Maxo
pWNCloud -- they don't have a good security history, just saying.
Salty_Peaks

Salty_Peaks

Anon

Edit to previous post -- reference - »owncloud.org/about/secur ··· isories/

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

said by Salty_Peaks :

Edit to previous post -- reference - »owncloud.org/about/secur ··· isories/

Interesting. I wonder how up to date they keep this.
"Admin can decrypt user files" was opened 02/10/2012, and references enhancements to the upcoming 5.0 version, but 6.0 is the current stable version.
This is also the only reported vulnerability in the current version, which isn't that big a deal if you are the owner of those files, but still not good.

yaplej
Premium Member
join:2001-02-10
White City, OR

1 recommendation

yaplej to Salty_Peaks

Premium Member

to Salty_Peaks
80 some vulnerabilities in the project entire life does not seem so bad. Have you looked at the list for anything else? Cisco IOS, Microsoft Windows, Linux?

I'm not sure I would put them into the "poor security" group yet.

They seems to be fixing those as they are found. Its like saying don't use WordPress because version 1.0 is full of security issues.

Its typically the admins fault for not monitoring and updating the system. To expect any software to be free of security vulnerabilities is well not practical.

Salty_Peaks
@quadranet.com

1 recommendation

Salty_Peaks

Anon

Based on the volume and amount of compromised Wordpress servers I encounter on nearly an hourly basis, the fact that more often than not they're used to leverage large scale DDoS attacks or profilterate malware through various "gates" such as »www.kahusecurity.com/201 ··· aud-kit/ indeed I am also saying "Don't use Wordpress"
GraysonPeddi
Grayson Peddie
join:2010-06-28
Tallahassee, FL

1 edit

GraysonPeddi to Maxo

Member

to Maxo
I'm also starting to use OwnCloud too as I have it in my subdomain of my server using a self-signed certificate and my subdomain. (Only I can access OwnCloud.)

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI

MVM

I'd love to hear how others setup self-signed certs. I have a dyndns for outside and thinking of bind handling that zone inside the network to point to the private IP. Is that what most do? A penny for your thoughts, anyone?

Maxo, I may change over to nginx - OwnCloud on apache with Ubuntu Server 12.04 runs a little sluggish on a P4. Thanks for the link.
GraysonPeddi
Grayson Peddie
join:2010-06-28
Tallahassee, FL
Ubiquiti EdgeRouter PoE
Ubiquiti UniFi AP-AC

1 edit

GraysonPeddi

Member

I once created a script for creating a self-signed certificate:

#!/bin/sh
DOMAIN="subdomain.maindomain" # Edit the domain name.
printf "Checking to see if ca.crt exists... "
if [ ! -f ca.crt ]; then
  echo "Creating..."
  openssl genrsa -des3 -out ca.key 4096
  openssl req -new -x509 -days 3650 -config req.conf -key ca.key -out ca.crt
  echo "Done."
else
  echo "File exist."
fi
echo "Now creating a certificate for $DOMAIN...\n"
openssl genrsa -des3 -out $DOMAIN.key 4096
openssl req -new -config req.conf -days 3650 -key $DOMAIN.key -out $DOMAIN.csr
openssl x509 -req -days 3650 -in $DOMAIN.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out $DOMAIN.crt
echo "Enter the password for creating an unsecure key. Keep it private."
openssl rsa -in $DOMAIN.key -out $DOMAIN.key.insecure
mv $DOMAIN.key $DOMAIN.key.secure
mv $DOMAIN.key.insecure $DOMAIN.key
printf "Marking as read-only for root... "
chmod -R go-rw *
echo "Done."
exit 0
 

Here's the req.conf:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no
 
[ req_distinguished_name ]
countryName                     = Your Country
stateOrProvinceName             = Your State (if applicable)
localityName                    = Your City
organizationName                = First Name, Last Name
organizationalUnitName          = .
commonName                      = example.com
emailAddress                    = user@example.com
 

Note that you have to enter the passphrase like 5 or 6 times. Just take it slow when entering the passphrase.

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ to Maxo

Premium Member

to Maxo
I'll have to look into this, thanks for sharing. I've been thinking of rolling my own personal cloud solution, but this just may be the way to go

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo to Bill_MI

Premium Member

to Bill_MI
said by Bill_MI:

Maxo, I may change over to nginx - OwnCloud on apache with Ubuntu Server 12.04 runs a little sluggish on a P4. To thanks for the link.

OwnCloud is a perfect use-case for Nginx. That is how I am running it as my server also does not have much power and has no need for the features of Apache2.
To do the install, including the self-signed certificate I use the istructions at »www.davelachapelle.ca/gu ··· p-guide/

Salty_Peaks
@quadranet.com

Salty_Peaks

Anon

Have you considered using OwnCloud and mitigating exposure by issuing and requiring client certificates from a CA you've setup?

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

I am not sure how to do that. Right now my setup requires me to just blindly accept the certificate from any new machine I log in with, which is very undesirable
GraysonPeddi
Grayson Peddie
join:2010-06-28
Tallahassee, FL
Ubiquiti EdgeRouter PoE
Ubiquiti UniFi AP-AC

GraysonPeddi

Member

I am having trouble importing my CA and client certificate (both are .crt) into Google Chrome in Linux, but it seems Google Chrome does not seem to accept it... I don't know why, though. I've done this before with Zarafa, but the use of "history" can only let me see 1,000 lines and I couldn't remember what I've done. (Ugh!)

If only StartSSL could support 2 or 3 subdomains as one subdomain isn't enough, but can't afford $60 for Class 2 cert.

Salty_Mobile
@mycingular.net

Salty_Mobile to Maxo

Anon

to Maxo
said by Maxo:

Interesting. I wonder how up to date they keep this.
"Admin can decrypt user files" was opened 02/10/2012, and references enhancements to the upcoming 5.0 version, but 6.0 is the current stable version.

Evidently not very up to date, found this reading my RSS feeds.

»www.exploit-db.com/explo ··· s/31427/

# Exploit Title: ownCloud 6.0.0a File Deletion XSS and CSRF Protection Bypass
# Vendor Homepage: www.ownCloud.org
# OwnCloud Version: 6.0.0a
# Browsers tested: Iceweasel 22.0; Internet Explorer 11;
# Server: Debian. Default LAMP set-up.
# Exploit Author: James Sibley (absane)
# Blog: »blog.noobroot.com
# Discovery date: December 12th, 2013
# Vendor notified: December 12th, 2013
# Vendor fixed: January 22th, 2014
# CVE assignment: CVE-2014-1665
darthanubis
join:2010-01-05
Chesterfield, VA

darthanubis to Maxo

Member

to Maxo
I have tried Owncloud, and liked it, but development seemed slow.

Interesting thread. Thanks.

Count Zero
Premium Member
join:2007-01-18
Milton, FL

Count Zero to Maxo

Premium Member

to Maxo
I've been using it for a while for non-sensitive material and it has been very good! I host it on an OS X server however and that is unsupported at present - though it hasn't caused any problems for me yet.