We are hosting a few NextCloud instances and we recognize regular scans for NC and OC instances on almost any domain. The apache access log shows lines like these:
This is happening in waves and all the IP addresses (deliberatly not disclosed here) are listed on https://www.abuseipdb.com as abusive and are all based in France.
I can see the same in my apache access logs. Just above 1000 since 7 February. Seems they are trying go get some info from status.php, in various paths.
good idea. Maybe fail2ban could be taught to ban such attempts. It is interesting that the requests cover some frequently used urls (/nextcloud/status.php, /oc/status.php and so on).
Is access to that URL needed for the outside net in the first place?
Monitoring tools are located in internal networks.
I think this is Nextcloud, they have been sending abuse complaints to my provider because we havenāt patched our Owncloud, yes Owncloud, yet. They sent a link to https://scan.nextcloud.com/results/ with your results.
I have already sent them a email to stop doing this, itās abuse of the abuse process in my opinion. Also it creates a lot of unnecessary hassle with providers while I have the patch moment planned already.
Before starting some case with lawyers (like mentioned in the link above) I would prefer to collect the actual resulting problems with that checks and discuss if the benefits are worth these problems. Same thing with the existence of the mentioned status.php and the possibility to check the nc instance with it for good or bad reasons.
In the end Nextcloud GmbH has the possibility to make their decision considering the community opinion. Wanted or not that means an opened discussion, but as these two topics exist now it is opened anyway. So make the best out of it ;).
It is a marketing campaign to raise the installation count of Nextcloud.
In the case of the BSI, it is the misuse of an authority for private purposes.
But shouldnāt we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.
It seems at the very least like something that should be opt-inā¦
My guess is that it was meant as a nice gesture but devs didnāt really think things through and also communicated it badly.
But shouldnāt we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.
It seems at the very least like something that should be opt-inā¦
AFAIK certain services that use the API depend on it. Also I donāt think it really changes anything, most automated attacks donāt care about that and just brute force all the vulnerabilities ranging from newest to oldest.
Intentionally hiding version numbers is only security through obscurity and not really super useful.
If it helps itās trivial to get the WordPress version a site runs generally also, which Google recently leveraged to send site console messages to admins informing them to upgrade from an insecure version.
I havenāt noticed these in my logs, but I might look for them now
WTF? If a software company needs a federal agency to notify you about updates what does that tell about their update notification and update procedures? And if this were an advertisement for ownCloud users, this would be really really poorā¦
I followed the German thread very lightly with imperfect translations. What exactly happens with this letter? Who are the providers who get it and what are they expected to do?
Nothing happened so far and in my opinion there is also no chance/reason that it will.
The results of the status.php scan were for germany forwarded to the german federal office for internet security (BSI) and they informed the respective ISP to inform at last the nextcloud operator.
So some people interpreted this as āattackā where actually just the anyway opened status.php was scanned. So in my opinion there is no chance (and also no reason) to harm Nextcloud GmbH in a legal way.
Also it is criticized that the federal office is used for private purpose in this case. But actually the BSI states on there website: āThe BSI protects the networks of the Confederation; But it is also aimed at commercial and private providers such as users of information technology.ā So it explizit also handles private providers and as nextcloud/owncloud is growing it becomes a more important share of public and private used web services. I donāt know what other āprivatā cases the BSI normally deals with, but at least there is some argument that they could also use their possibilities to force nextcloud/owncloud operators to do security updates.
But of course so far I would also always prefer a transparent way of doing such and let people make their own decision about if/when they want to do their updates/security hardening. Of course some well published information about all that security topics should be there, which IS on docs.nextcloud.com and here in the forum.
Except that you could be freaked out and just remove such hard-to-upgrade software.
I really donāt understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.
Hereās the email our provider got, apparently they sent lists of Own/Nextcloud instances to all providers. Not sure who sent the email, my provider wonāt tell me that because multiple customers are involved. I removed the Nextcloud email address to protect against spambots etc.
My main issue with this is that the abuse process is meant for actual abuse. Sending spam or hacking attempts things like that. Not patching your software is simply not abuse. If every software developer starts doing this providers are going to be very busy very quickly.
It would be great if Nextcloud stops this practice.
I really donāt understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.
I suppose this stuff is mainly targeted at users that wouldnāt even use an extra service like this because the either dont care or dont know. Itās not that hard to follow new releases. I mean: do you really want to know that you are running an old version if you are running an old version ;D?
Other actions could include:
Automatic updates (people will kill you)
Update nagging like showing popups to people every day for out of date installations
.