Asked the same thing and it essentially boils down to public APIs. At some point you need to know which APIs to access. You can ofc run requests against all your endpoints and see if they 404 but thatâs inefficient. You can ofc use a version in your API url or pass a version token. The issue with that is that itâs a pain for forwards compatibility because you never know which new features you can use from an API standpoint.
To solve that you could add an API call that tells you which API subversion you are dealing with and now you have arrived at the current status
Apart from that the version is not really an issue since automated attacks usually just brute force all vulnerabilities. Personally Iâd also ignore the status.php since its more work to parse the version than just to try all known vulnerabilities starting with the latest one
Hi FolksâŚ
I registered an automatic rescan every 8 hours.
Where is the hint on the scanner page,
your URL saved for automatic scan?
I want to delete my URL from scan.
Is that possible?
I have my firewall locked down pretty tight and the scanner cannot seem to access my Nextcloud instance. This is likely due to the ip addresses used by the scanner being blocked by my server. Is there any chance you could post the ip addresses that the scanner is using or even which hosting provider it would be coming from so that I could unblock it.
Thanks.
Yeah and also do the scan and show results in admin panel as part of the other checks that are done there anyway. It is important enough in my view to include this directly obvious into nextcloud than âjustâ give the link here that people might or might not recognize.
But of course thanks for the scan anyway, this was/is already a great step. Would be just the consistent next step to make nextcloud even better in lifting security as topic into the view of every admin .
I just checked my apache log as regular task and found attempts from an france ip to access status.php in my webserver root (nextcloud is on a total different location), which fails, because no status.php in webroot ;).
The attempt occurs every ~6 hours ~10 times at once for the whole time, my apache logs remain (~1 week now).
This was discussed much and I agree that for security reasons there is a benefit to collect statistical data about clouds security and give webhosts with lack a hint. But this looks little aggressive, inefficient and floods my apache log quite much.
Okay, this checks should not cost much server performance or traffic and therefore it should not matter much how unnecessary often they are done. But to not annoy admins too much, couldnât there be some intelligent sorting done somehow? I.e. usually the IPs change once a day by ISP, if no static IP is there. So I guess doing the check once (really once, stop after 1 error (file not found)) a day should be totally enough. For me it is done ~50 times a dayâŚ
If there are static IPs known, there could be checked way less often. In my case I have a fix domain which I also used on scan.nextcloud.com.
In such cases domains could be collected and IPs they are pointing to could be also excluded from the check, respectively they could be checked way less often, once a month or just after every nextcloud upgrade.
Yaa, just some ideas, if this is actually under control of Nextcloud GmbH, maybe this is done totally external with no easy way to influence. However I will ban the related IP (was the same since beginning of log) now, taking care about my security myself, including running scan.nextcloud.com regularly ;).
Just found the current ip address of the scans. They come from France: 51.15.140.197
In regards to the problems some are having with being scanned too often, I think Iâll just leave this address blocked in my firewall and unblock it whenever I do a major upgrade and want to scan security.
Today we have got a letter from BSI to our provider because of this scan. We had for testing an old owncloud instance some months ago on a single vhost in the net. Sending the results directly to BSI is not a good idea from nextcloud. We will delete our nextcloud instances and will warn our costumers to use nextcloud and this security tool⌠very bad idea!
Not sure if you did read the text to the tests: They say they will react proactive. So where is the problem? Less unsecure or zombie systems is the better for us all, is better for Nextcloud as platform.
Our customers get proactive help with upgrading and keeping their systems secure. We also warn them in advance when security problems are found. Learn about Nextcloudâs security efforts.
I wish Mozilla Obervatory test would do this too. 90% of all tested Websites are unsecure and violating privacy by default and designâŚ
@BernhardPosselt Why was the rating removed? It shows the vulnerability level but no grade anymore. Is this intentional? It help to make it a bit easier to persuade people without a technical background to do an upgrade.
@jakobssystems Also, if at some point in the future a vulnerability that could be abused over federated shares is discovered, this activity is in the interest of every Nextcloud/Owncloud administrator who allows this feature to be used by his users. What would happen if a federated share from an unpatched installation to a top secured one will screw the latter? I donât like the idea that this could happen at some point.
Any responsible Nextcloud/Owncloud administrator who keeps their systems up to date and implements all necessary hardening recommendations shouldnât be at the mercy of irresponsible fools at all who run something as outdated and unsupported like Owncloud < 9.0 or Nextcloud < 10.
Also, if it was solely a marketing campaign, then they wouldnât even mention newer supported Owncloud releases at all. But rather the opposite is true, if one reads the text on the scanner page carefully:
For Nextcloud, the latest releases are Nextcloud 12.0.0, 11.0.3, 10.0.5. For ownCloud, that would be ownCloud 10.0.1, 9.1.6 or 9.0.10.
Now the scanner is become totally useless. Today I can not scan any nextcloud system. I have ten nextcloud systems and I could scan nine of the since yesterday or tuesday. Today I can not scan a single nextcloud system -.-