Someone scans the internet for NC/OC instances

For anyone interested: Iā€™ve dug a bit into the topic and facts and compiled a few things:

  • Scanning was conducted by an unrelated third party (in France if you look at the IPs)

The Nextcloud scan page and their email address was posted in the email I havenā€™t received any response denying involvement so Iā€™m pretty sure it has been Nextcloud.

  • The BSI contacted you guys in order to prevent you from automated attacks

They contacted the providers with a abuse complaint, not the people running the sofware. These complaints are not taken lightly by most, in one instance a provider threatened to blackhole the server if I did not resolve the issue asap.

  • Re-phrasing ā€œplease update your instanceā€ to ā€œplease buy support from usā€ is a bit silly :wink: The BSI decided to help you out because they think it was important based on the information they had.

Agreed, although a marketing rep closing the discussion in the other thread likely brought that on.

  • Openly propagating the version number looks bad at first but it essentially doesnā€™t change the attack surface. Itā€™s in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itā€™s in fact easier to program it in that way and more effective).

Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack :wink:

I agree you need to keep your software up to date, however in the real world it does not work this simple all the time. We generally maintain a set update schedule and only divert if there is a serious issue. Some random software developer or agency does not get to decide this by attempting to force my hand hitting my provider with abuse complaints while noting actually happened.

The Nextcloud scan page and their email address was posted in the email I havenā€™t received any response denying involvement so Iā€™m pretty sure it has been Nextcloud.

Nexctcloud does not employ people in France and the scans were from French IPs

Are we really discussing Nextcloudā€™s part in this or just ranting about how BSI used an easy way to contact you guys? If so please contact the BSI because this discussion is not changing anything ;D

The email I got from the provider said to contact Nextcloud if I had any questions so here I am.

In case of questions on the tests performed by the German company please
reach out to ########@nextcloud.com.

So what questions do you have left?

The benefits of using FOSS can include decreasing software costs, increasing security and stability (especially in regard to malware), protecting privacy, and giving users more control over their own hardware.

Actually it would seem to be you, who is mixing things up. Buttons, options and tripe replies.

You know how it reads ā€œcan includeā€ and not ā€œincludesā€ :wink: FOSS is only about licensing at its core and when speaking about the most popular licenses itā€™s all about changing and distributing code. Thatā€™s it.

It is by some who have appropriated the FOSS movement for there own needs.

Maybe go and have a chat with Stallman and Raymond on your interpretation of what FOSS is and what it should be and why there was a need for its creation.

@BernhardPosselt I think your tone is winding people up, maybe dial it down a bit. No matter how trivial you feel this is your opinion clearly isnā€™t shared by others commenting above.

@jospoortvliet do you still feel this isnā€™t worth talking about? Seems fairly important to clear the air and assuming the intentions of NC are good having an official response here might lighten current tensions.

5 Likes

It isnā€™t clear if this has been organized by Nextcloud, or on behalf of Nextcloud, or by an independent company (French IP only indicates that resources of a French ISP were used), obviously Nextcloud doesnā€™t want to give any official statement. So letā€™s go back to a technical point of view:

If many of your domains are scanned for owncloud/Nextcloud setups, you can use this pattern on domains that are not used for owncloud/Nextcloud and block this IP (e.g. fail2ban). You can also report this IP to the ISP if there is a chance that they handle this request and you suspect illegal activities (search for potential victims). You could also send out fake status-reports on domains that are not using Nextcloud or just ignore it.

It was pointed out that the status-messages are required for setups, so you can only hide you setup behind a VPN if you donā€™t want to allow public access or somehow restrict the IP range that can use Nextcloud.

It isnā€™t that I donā€™t consider it important enough - my lack of statement is due to privacy and security concerns.

And as I said in another thread: personally, if I was warned I left my wallet when leaving a cafe, left my door open when walking my dog or didnā€™t lock my car, Iā€™d be happy and pick up my wallet/close my door/lock my car. If people hear from their provider that their server is at risk from (potentially automated!) attacks, perhaps the best course of action is to upgrade it to a secure version.

I think some people underestimate how easy it is to hack a outdated ownCloud or Nextcloud server. It is easy to get IP and web addresses on the web, there are services that simply sell them! Then, you can easily do an automated scan and then hack the servers and copy the data or even take over the entire server if the version on it is old enough.

If you ask me, that is a HUGE problem! I can only hope that there are not many insecure systems on the web. Many people are not aware that their privacy is being violated by companies like Google, Dropbox et all, and we started working on private cloud software to help defend people and their data. I personally would feel Iā€™d have to act in a similar way if I knew people were running insecure software. I can guarantee you I tell people who run Windows XP that what they do is potentially dangerous! Wouldnā€™t you?

Of course I wouldnā€™t want to lock them up and take their freedom to run Windows XP awayā€¦ Though, if their system is used in a bot net, as ISP I might want to lock them out of the web.

Again, I canā€™t talk about what happened here, though to me what Bernhard said about the French IP and such makes sense. I guess a hacker would use a proxy to hide where from he/she breaks (and TOR, maybe) so those attempts could have been from anywhere in the world and I think it is a good move to block them.

1 Like

Didnā€™t mean to imply that.

I donā€™t personally have a problem seeing scans in my logs, itā€™s a public server and itā€™d be naive to assume it isnā€™t going to happen - my linux access logs look like Iā€™m behind a locked door in a scene from the Walking Dead :stuck_out_tongue:

But, if my ISP sent me a letter threatening to shut my connection down due to a.n.other company reporting security issues coming from my IP, Iā€™d rage. Especially given my contact details are in the WHOIS of the domain I host from - where Iā€™d more than welcome a notice to say Iā€™m out of date (as you referred to with XP there @jospoortvliet) - as Google did the other week following a nasty vuln in Wordpress that Iā€™d already patched.

Perhaps if you have any influence, ask them to find another means of contact. That appears to be the issue here.

2 Likes

@JasonBayton This is typical German.

Why would you? Iā€™d be graceful and I wish ISPs would do more of that. It would help us all. Or am I missing something?

Did you read to ā€œrageā€ and stop?

There are easier ways to contact me that donā€™t involve putting my contract with the ISP in peril.

2 Likes

But thatā€™s not their responsibility and you donā€™t have a contract with them (ā€œthemā€ being the BSI). The potential thread they recognized is imposed from the ISPs properties and thatā€™s why they get informed and asked to do something about it.

I donā€™t get why youā€™re having a problem with that. This shouldnā€™t be a problem:

Because just fixing the issue at your end solves the problem, helps yourself and makes the internet a better place.

I donā€™t understand why you canā€™t see past your own opinions here. The ā€œserviceā€ (Iā€™ll call it that) is great, and on par with what Google did recently with my Wordpress install thatā€™d already been patched before they contacted me.

But therein itself lies an issue. I patched my Wordpress install the day the vuln was disclosed and the patch was provided. Google scanned it some time during that day and saw it hadnā€™t yet been patched so queued a notification to go out to me.

The same can happen here, except instead of me, the admin, being notified (by which Iā€™d say thank you and perhaps even shout out the value of that service), Iā€™d get a cease and desist type letter (as an ISP will often consider these alerts a complaint. Theyā€™re not smart.) 2 weeks later - by which time Iā€™m on their radar for potentially doing something I shouldnā€™t. This puts my internet contract under threat.

Thereā€™s a distinction here too; this notification sent to a datacentre will be handled in a completely different manner to the ISP of a home user - a vast userbase for these solutions.

I applaud the objective, and I fully support everyone being up to date within the constraints applied (see patch schedules, etc mentioned above), but the communications protocol in place is all wrong.

The proof of this is in the very existence of this topic.

All outdated software cause a potential threat (browsers, flash, ā€¦) but ISPs will have to constantly sending notification letters to their customers if you want to set this as a standard. A list of IP addresses of clients of a bot network is a real threat and not only a potential one. From https://nextcloud.com/security/advisories/ I donā€™t see a warning where you can obtain root-permissions on a system. For me it seems exaggerated, especially when some could have been contacted via whois data as @JasonBayton pointed out.

For the community/developers here, there are much better ways to make sure/help users to keep their systems up to date.

Well, if the topic turns into the question who the BSI should best contact if they got aware of some issues, then this should probably discussed somewhere else. Donā€™t you think?

If thatā€™s true and the online service are of any importance to you, Iā€™d consider changing the ISP.

Guess what, ISPs have to handle that sort of stuff 24/7 and they really know how to handle these. If they donā€™t, they are not the right service provider.

Yes, and not only ISPs. When ever someone gets to know about a vulnerablity they should responsibly disclose that to someone who can deal with it. There is no reason to downplay any of that - but at the same time I canā€™t tell why there is a smell of panic in the air.

My original post was about an abservation and I asked a question because I wanted to understand whatā€™s going on. Thatā€™s achieved and the advise is probably best we all can/should do:[quote=ā€œjospoortvliet, post:36, topic:8992ā€]
so those attempts could have been from anywhere in the world and I think it is a good move to block them
[/quote]

No, as itā€™s a service being conducted on behalf of Nextcloud, their involvement shown in the links to results and contacts provided. NC should have some say into how this service is provided, or switch to a provider of said service that doesnā€™t conduct its communications in this manner.

I wouldnā€™t consider changing my home ISP over this. Itā€™s an edge case and something that shouldnā€™t involve the ISP at all.

Reading through it appears to be less panic and more concern/disdain for how this is being handled, which is justified. Applying enterprise policies to home admins is rarely going to be the right approach.

Youā€™re right though, NC is still not going to divulge any more information or offer any transparency in what should be an open, friendly service. So those who donā€™t like the idea of having their ISP involved where they have no reason to be, blocking the IPs is the way to go.

Iā€™ve set this to autoclose now. If @tflidd or another moderator feel thereā€™s more to be said feel free to re-open it when it closes, similarly non-mods feel free to message me, but it appears to be going around in circles (which is as much my fault as anyone else, sorry).

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.