SOLVED Owncloud / Remote Access / DynDNS

[nivarox]

Hello,

I've installed Owncloud as a plugin. Meanwhile it works and I can access it inside my LAN through it's local IP.

I followed the Instruction from this page to secure my owncloud via https and to add the dyndns adress to the trusted adresses

http://www.stephen-scotter.net/comp...n-please-double-check-the-installation-guides

Afterwards I added ports 443 and even port 80 to the virtual server list of my router.

I guess it should work now if I enter my dyndns adress in a webbrower.
Ping works and the global IP seems to be up to date.

During the configuration process I saw that there is no httpd.conf in my Apache folder (inside the owncloud jail). Just a httpd-ssl.conf and some other files.

Do you have any tips for troubleshooting? I don't know where to start either. How can I find out if my router is to blame? Which ports should I forward? Port 443 should be enough since owncloud is set to "enforce https".

Maybe there is something wrong with my Apache server? I had a problem in the beginning as my apache server was not working and I could not start the plugin. Now it seems to work but maybe there is another problem?

Best regards
Andy

P.S.: If there is somethign wrong with the trusted adresses shouldn't there be an error message from owncloud (I saw a screenshot somewhere)? I can't reach the server at all.

 

[DrKK]

First of all, and with all due respect sir, I can tell by the types of things you're asking that you are not going to have enough experience with things like this to truly secure your owncloud installation against any competent hacker. So I think if you insist on opening up your owncloud to the whole internet, then you probably have not successfully secured it against any competent hacker, and you should be aware of that. I am going to urge you to not attempt to secure owncloud and expose it, but rather to secure the connection tunnel itself (VPN).

Second of all, 99% of ISP's out there BLOCK incoming port 80. Therefore, opening and forwarding port 80, (which I think is what you've done under the codename "virtual server"?) won't work, since your internet service provider probably does not permit you ingress traffic on port 80. The solution is to not open port 80, but rather, to open port 27381 (or other similar 5 digit number under 64000), and have the router forward port 27381 to port 80. You will then have to add the port number to your URL, like this:

http://mydyndns.address.com:27381/

Then web servers, and the various owncloud clients, will find their way into your owncloud.

Third of all: If you ping your dyndns hostname, and it comes back with a reply, then you certainly would appear to have the right connectivity. It's a matter of what I said in point #2 above.

 

[nivarox]

This is what a portsniffer says if I enter my dynDNS adress

P.S.: For the moment I opened 80 and 443 but I just want to keep 443 open for https

 

[nivarox]

I am a bit further now. Instead of my local network I tried to access owncloud with my 3G modem and was successful. So in fact it doesn't work with my LAN and the dyndns adress but through the internet it does. Therefore I guess my port forwarding works but owncloud makes a difference if I use the dyndns adress from a local or a remote PC. Any ideas?

 

[nivarox]

Solved!

My router was to blame. The problem wasn't the port forwarding. The problem was that my (relatively) new router didn't support NAT loopback but there is a new firmware that does. So now it works.

How can I change the "Problem" icon to "Solved"?

 

[NightHawk.ATL]

So I think if you insist on opening up your owncloud to the whole internet, then you probably have not successfully secured it against any competent hacker, and you should be aware of that. I am going to urge you to not attempt to secure owncloud and expose it, but rather to secure the connection tunnel itself (VPN).

How will sharing work outside of the VPN? I have a VPN setup and it is using the local IP address to access it rather than a domain. I would like to open it up for being able to share the files with other people, otherwise it is not an effective replacement for Dropbox and will just be another NAS that I will have personal access to anywhere.

 

[pirateghost]

How will sharing work outside of the VPN? I have a VPN setup and it is using the local IP address to access it rather than a domain. I would like to open it up for being able to share the files with other people, otherwise it is not an effective replacement for Dropbox and will just be another NAS that I will have personal access to anywhere.

Use SSL and owncloud/nextcloud then. Configure secure passwords too.

Or use resilio/syncthing...

 

[NightHawk.ATL]

I followed the instructions in the link on the first post to change ports and add an SSL key and cert for owncloud and then made some security changes that the owncloud admin account settings suggested. I always use secure passwords and any other user that has web access will have a secure password as well. I also have everything behind my pfSense machine. Is there any more security I need to make it uber secure like others seem to be suggesting? I just feel like what I have is enough but everyone seems to think that it can be hacked easily.


Sent from my iPhone using Tapatalk

 

[pirateghost]

So you're doing your due diligence to mitigate the issue.

I don't see a problem with it then. Do what you like and monitor usage and access.

 

[NightHawk.ATL]

I always do. Thank you.


Sent from my iPhone using Tapatalk

 

[tvsjr]

I have my Owncloud exposed (as you point out, it's not a Dropbox replacement if it's not publicly accessible). I do monitor it heavily, with logs going to Graylog, and automatic alerting configured for weird stuff. To my knowledge, nothing has been compromised yet.

 

[NightHawk.ATL]

I have my Owncloud exposed (as you point out, it's not a Dropbox replacement if it's not publicly accessible). I do monitor it heavily, with logs going to Graylog, and automatic alerting configured for weird stuff. To my knowledge, nothing has been compromised yet.

Yep, it's kinda my point. I have had more issues with my email address and multiple accounts being compromised because large companies have been hacked than I have had with someone trying to get into my home network. Even if they did, they wouldn't get much to brag about or even use anywhere else. A lot of the stuff that I Have that isn't self-created is stuff that anyone else can get through any torrent site. But as a home user, I just don't think that there is that much of an issue.

 

[tvsjr]

Yep, it's kinda my point. I have had more issues with my email address and multiple accounts being compromised because large companies have been hacked than I have had with someone trying to get into my home network. Even if they did, they wouldn't get much to brag about or even use anywhere else. A lot of the stuff that I Have that isn't self-created is stuff that anyone else can get through any torrent site. But as a home user, I just don't think that there is that much of an issue.

Your main issue will be a compromise in Owncloud itself that's made public, with someone creating a script for Metasploit/etc. to exploit it. It's pretty unlikely that $COUNTRY is going to send their top-tier hackz0rz after you. The amount of random scanning and door knocking that goes on these days is ridiculous. For my paltry little home environment, I often see 5-10Mbps of traffic that's nothing but crap getting dropped by the firewall and IPS.
But, I trust what I do a lot more than Dropbox/OneDrive/etc. :D

 

[NightHawk.ATL]

Yep, I have pfSense running here and plan on setting up a second network just for streaming traffic and a third for servers only. I plan on adding HMA into my pfSense to mask my traffic in and out through my network and then setup a proxy between that and the servers. I just have to figure out the best way to do that but I have done networking and wifi for the past 2 years for hotels so I know the hardware and wiring way to do it all.


Sent from my iPhone using Tapatalk

 

[tvsjr]

Ha, I do the same thing. I've got seven zones of varying security level inside the firewall. Yep, I'm a nerd :(