For anyone interested: Iāve dug a bit into the topic and facts and compiled a few things:
Scanning was conducted by an unrelated third party (in France if you look at the IPs)
The Nextcloud scan page and their email address was posted in the email I havenāt received any response denying involvement so Iām pretty sure it has been Nextcloud.
The BSI contacted you guys in order to prevent you from automated attacks
They contacted the providers with a abuse complaint, not the people running the sofware. These complaints are not taken lightly by most, in one instance a provider threatened to blackhole the server if I did not resolve the issue asap.
Re-phrasing āplease update your instanceā to āplease buy support from usā is a bit silly The BSI decided to help you out because they think it was important based on the information they had.
Agreed, although a marketing rep closing the discussion in the other thread likely brought that on.
Openly propagating the version number looks bad at first but it essentially doesnāt change the attack surface. Itās in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itās in fact easier to program it in that way and more effective).
Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack
I agree you need to keep your software up to date, however in the real world it does not work this simple all the time. We generally maintain a set update schedule and only divert if there is a serious issue. Some random software developer or agency does not get to decide this by attempting to force my hand hitting my provider with abuse complaints while noting actually happened.
The Nextcloud scan page and their email address was posted in the email I havenāt received any response denying involvement so Iām pretty sure it has been Nextcloud.
Nexctcloud does not employ people in France and the scans were from French IPs
Are we really discussing Nextcloudās part in this or just ranting about how BSI used an easy way to contact you guys? If so please contact the BSI because this discussion is not changing anything ;D
The benefits of using FOSS can include decreasing software costs, increasing security and stability (especially in regard to malware), protecting privacy, and giving users more control over their own hardware.
Actually it would seem to be you, who is mixing things up. Buttons, options and tripe replies.
You know how it reads ācan includeā and not āincludesā FOSS is only about licensing at its core and when speaking about the most popular licenses itās all about changing and distributing code. Thatās it.
It is by some who have appropriated the FOSS movement for there own needs.
Maybe go and have a chat with Stallman and Raymond on your interpretation of what FOSS is and what it should be and why there was a need for its creation.
@BernhardPosselt I think your tone is winding people up, maybe dial it down a bit. No matter how trivial you feel this is your opinion clearly isnāt shared by others commenting above.
@jospoortvliet do you still feel this isnāt worth talking about? Seems fairly important to clear the air and assuming the intentions of NC are good having an official response here might lighten current tensions.
It isnāt clear if this has been organized by Nextcloud, or on behalf of Nextcloud, or by an independent company (French IP only indicates that resources of a French ISP were used), obviously Nextcloud doesnāt want to give any official statement. So letās go back to a technical point of view:
If many of your domains are scanned for owncloud/Nextcloud setups, you can use this pattern on domains that are not used for owncloud/Nextcloud and block this IP (e.g. fail2ban). You can also report this IP to the ISP if there is a chance that they handle this request and you suspect illegal activities (search for potential victims). You could also send out fake status-reports on domains that are not using Nextcloud or just ignore it.
It was pointed out that the status-messages are required for setups, so you can only hide you setup behind a VPN if you donāt want to allow public access or somehow restrict the IP range that can use Nextcloud.
It isnāt that I donāt consider it important enough - my lack of statement is due to privacy and security concerns.
And as I said in another thread: personally, if I was warned I left my wallet when leaving a cafe, left my door open when walking my dog or didnāt lock my car, Iād be happy and pick up my wallet/close my door/lock my car. If people hear from their provider that their server is at risk from (potentially automated!) attacks, perhaps the best course of action is to upgrade it to a secure version.
I think some people underestimate how easy it is to hack a outdated ownCloud or Nextcloud server. It is easy to get IP and web addresses on the web, there are services that simply sell them! Then, you can easily do an automated scan and then hack the servers and copy the data or even take over the entire server if the version on it is old enough.
If you ask me, that is a HUGE problem! I can only hope that there are not many insecure systems on the web. Many people are not aware that their privacy is being violated by companies like Google, Dropbox et all, and we started working on private cloud software to help defend people and their data. I personally would feel Iād have to act in a similar way if I knew people were running insecure software. I can guarantee you I tell people who run Windows XP that what they do is potentially dangerous! Wouldnāt you?
Of course I wouldnāt want to lock them up and take their freedom to run Windows XP awayā¦ Though, if their system is used in a bot net, as ISP I might want to lock them out of the web.
Again, I canāt talk about what happened here, though to me what Bernhard said about the French IP and such makes sense. I guess a hacker would use a proxy to hide where from he/she breaks (and TOR, maybe) so those attempts could have been from anywhere in the world and I think it is a good move to block them.
I donāt personally have a problem seeing scans in my logs, itās a public server and itād be naive to assume it isnāt going to happen - my linux access logs look like Iām behind a locked door in a scene from the Walking Dead
But, if my ISP sent me a letter threatening to shut my connection down due to a.n.other company reporting security issues coming from my IP, Iād rage. Especially given my contact details are in the WHOIS of the domain I host from - where Iād more than welcome a notice to say Iām out of date (as you referred to with XP there @jospoortvliet) - as Google did the other week following a nasty vuln in Wordpress that Iād already patched.
Perhaps if you have any influence, ask them to find another means of contact. That appears to be the issue here.
But thatās not their responsibility and you donāt have a contract with them (āthemā being the BSI). The potential thread they recognized is imposed from the ISPs properties and thatās why they get informed and asked to do something about it.
I donāt get why youāre having a problem with that. This shouldnāt be a problem:
Because just fixing the issue at your end solves the problem, helps yourself and makes the internet a better place.
I donāt understand why you canāt see past your own opinions here. The āserviceā (Iāll call it that) is great, and on par with what Google did recently with my Wordpress install thatād already been patched before they contacted me.
But therein itself lies an issue. I patched my Wordpress install the day the vuln was disclosed and the patch was provided. Google scanned it some time during that day and saw it hadnāt yet been patched so queued a notification to go out to me.
The same can happen here, except instead of me, the admin, being notified (by which Iād say thank you and perhaps even shout out the value of that service), Iād get a cease and desist type letter (as an ISP will often consider these alerts a complaint. Theyāre not smart.) 2 weeks later - by which time Iām on their radar for potentially doing something I shouldnāt. This puts my internet contract under threat.
Thereās a distinction here too; this notification sent to a datacentre will be handled in a completely different manner to the ISP of a home user - a vast userbase for these solutions.
I applaud the objective, and I fully support everyone being up to date within the constraints applied (see patch schedules, etc mentioned above), but the communications protocol in place is all wrong.
The proof of this is in the very existence of this topic.
All outdated software cause a potential threat (browsers, flash, ā¦) but ISPs will have to constantly sending notification letters to their customers if you want to set this as a standard. A list of IP addresses of clients of a bot network is a real threat and not only a potential one. From https://nextcloud.com/security/advisories/ I donāt see a warning where you can obtain root-permissions on a system. For me it seems exaggerated, especially when some could have been contacted via whois data as @JasonBayton pointed out.
For the community/developers here, there are much better ways to make sure/help users to keep their systems up to date.
Well, if the topic turns into the question who the BSI should best contact if they got aware of some issues, then this should probably discussed somewhere else. Donāt you think?
If thatās true and the online service are of any importance to you, Iād consider changing the ISP.
Guess what, ISPs have to handle that sort of stuff 24/7 and they really know how to handle these. If they donāt, they are not the right service provider.
Yes, and not only ISPs. When ever someone gets to know about a vulnerablity they should responsibly disclose that to someone who can deal with it. There is no reason to downplay any of that - but at the same time I canāt tell why there is a smell of panic in the air.
My original post was about an abservation and I asked a question because I wanted to understand whatās going on. Thatās achieved and the advise is probably best we all can/should do:[quote=ājospoortvliet, post:36, topic:8992ā]
so those attempts could have been from anywhere in the world and I think it is a good move to block them
[/quote]
No, as itās a service being conducted on behalf of Nextcloud, their involvement shown in the links to results and contacts provided. NC should have some say into how this service is provided, or switch to a provider of said service that doesnāt conduct its communications in this manner.
I wouldnāt consider changing my home ISP over this. Itās an edge case and something that shouldnāt involve the ISP at all.
Reading through it appears to be less panic and more concern/disdain for how this is being handled, which is justified. Applying enterprise policies to home admins is rarely going to be the right approach.
Youāre right though, NC is still not going to divulge any more information or offer any transparency in what should be an open, friendly service. So those who donāt like the idea of having their ISP involved where they have no reason to be, blocking the IPs is the way to go.
Iāve set this to autoclose now. If @tflidd or another moderator feel thereās more to be said feel free to re-open it when it closes, similarly non-mods feel free to message me, but it appears to be going around in circles (which is as much my fault as anyone else, sorry).