Jremi.com

Linux HOWTO

October, 2018

now browsing by month

 

Install and configure Nextcloud with Redis


Introduction

For those of you who do not know what nextcloud is, this part is for you.

Nextcloud is an open source, self-hosted file share and communication platform. Access & sync your files, contacts, calendars & communicate and collaborate across your devices. You decide what happens with your data, where it is and who can access it!

Nextcloud products are designed with compliance in mind, providing extensive data policy enforcement, encryption, user management, and auditing capabilities.

It is functionally similar to Dropbox out of the box, but with the ability to install addon’s like video conference calling, facebook style messenger, antivirus, and online office document editing to compete and replace Microsoft Office 365 or Google Drive/Docs.

Video Guide on Installing Nextcloud

Step 1: Prerequisites

In order to get up and running with Nextcloud, we are going to have to install a few more packages to your server.

*NOTE* This guide assumes you have already installed the LAMP stack
from Install the latest LAMP stack on Ubuntu 16.04 Server

Nextcloud needs a minimum of 128MB RAM, and they recommend a minimum of 512MB to get started, however I would recommend a minimum of 2GB to be able to run all the cool addons, but if all you want is a dropbox replacement without all the extras then 512MB should work just fine, however keep in mind this guide is prepping for all the frills down the road.

Required:
* PHP module bz2 (required for extraction of apps)
* PHP module SimpleXML
* PHP module XMLReader
* PHP module XMLWriter
* PHP module intl ()
* PHP module smbclient
* PHP module imap

sudo apt install php7.0-bz2 php7.0-xml php7.0-pspell php7.0-intl php7.0-gmp php7.0-imap php-smbclient php-redis

Optional but recommended packages:

sudo apt install ffmpeg libreoffice php-imagick

Step 2: Configure the PHP.ini file

Alright so here we have 2 files to edit, one is the config apache will use and the other the system will use.

First let’s configure the apache php.ini

sudo nano /etc/php/7.0/apache2/php.ini

We are going to be doing some search, to search with nano you press “Ctrl + w”

Find ;date.timezone = and delete the ; and make it look like this
date.timezone = America/New_York

Find upload_max_filesize = and change it to at least 500M
upload_max_filesize = 500M

Find max_execution_time = 30 and change it to
max_execution_time = 360

Find ;opcache.enable= and delete the ; and make it
opcache.enable=1

Do the same for the following
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Ctrl + x followed by y then enter to save

Now to edit the systems php.ini

sudo nano /etc/php/7.0/cli/php.ini

Same as above, find and change these

date.timezone = America/New_York

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Ctrl + x followed by y then enter to save

Step 3: Configure MySQL/MariaDB Server

Now before we go and create the database & user we need to make a slight adjustment to MySQL.

The change we are making is just telling the server to use InnoDB storage engine as nextcloud doesn’t support MyISAM (Default).

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Alright, now we can go about this 1 of 2 ways depending on how you like to organize your settings.

We can create a new section in the config under [mysqld] with a collection of all your new tweaks, or we can add them to their own preexisting section # * InnoDB.

I’m going to create a new section below.

find [mysqld] and under it enter this

### Nextcloud Settings ###
innodb_buffer_pool_size=1G
innodb_io_capacity=4000

Ctrl + x followed by y then enter to save

Next lets go ahead and enter the mysql server’s cli

sudo mysql -uroot

To create the database we need to enter

CREATE DATABASE nextcloud;

And the username & password, replace nextclouduser with whatever you want.  *NOTE* this account should only ever be used by nextcloud

CREATE USER 'nextclouduser'@'localhost' IDENTIFIED BY 'new_secure_password_here';

Lets give the user you created above permission to use the new database

GRANT ALL ON nextcloud.* TO 'nextclouduser'@'localhost' WITH GRANT OPTION;

Finally we need to save the changes & exit

FLUSH PRIVILEGES;
EXIT;

Step 4: Downloading Nextcloud

Navigate to https://nextcloud.com/install/ and click Download.

Click “Details and Download” options, and then right click on “.tar.bz2” and copy link/copy link location.

Switch back to your server and pushd to tmp & download the link we copied from the browser

pushd /tmp

wget https://download.nextcloud.com/server/releases/nextcloud-14.0.1.tar.bz2

Once the download has finished we need to extract it

sudo tar xf ./nextcloud-14.0.1.tar.bz2 -C /opt/

popd

After it finishes extracting, we need to change some permissions and create a data directory.

Nextcloud will default the data directory inside of the nextcloud folder, and for security reasons, you should never store private/personal data where an HTTP server is accessing to serve a website.

sudo chown -R www-data:www-data /opt/nextcloud
sudo chmod -R 755 /opt/nextcloud
sudo mkdir /media/nextcloud
sudo chown -R www-data:www-data /media/nextcloud

Step 5: Configuring Apache

Almost there, next step is to create the apache config we will use to serve the nextcloud site.

Go ahead and create the config file

sudo nano /etc/apache2/sites-available/nextcloud.conf

Now we need to create the virtual host.

*NOTE* 
Change ServerAdmin to match one of your emails
Set ServerName & ServerAlias to your domain name

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /opt/nextcloud/
     ServerName ncsite.com
     ServerAlias www.ncsite.com

     Alias /nextcloud "/opt/nextcloud/"

     <Directory /opt/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
          <IfModule mod_dav.c>
            Dav off
          </IfModule>
        SetEnv HOME /opt/nextcloud
        SetEnv HTTP_HOME /opt/nextcloud
     </Directory>

	 <IfModule headers_module>
		RequestHeader set X-HTTPS 1
        Header set Referrer-Policy "no-referrer-when-downgrade"
     </IfModule>

     ErrorLog /var/log/apache2/nc-error.log
     CustomLog /var/log/apache2/nc-access.log combined
</VirtualHost>

Ctrl + x followed by y then enter to save

Next, we need to enable the config and a few modules.

sudo a2ensite nextcloud.conf
sudo a2enmod rewrite
sudo a2enmod headers
sudo a2enmod env
sudo a2enmod dir
sudo a2enmod mime

If you would also like it to be the default site, i.e. type in the ip and it will server nextcloud go ahead and enter this

sudo a2dissite 000-default

Now we just need to restart apache

sudo service apache2 restart

Step 6: Install & Configure Redis Caching Server

Using a memory caching server can significantly improve the performance of Nextcloud, where frequently requested objects are stored in memory for faster retrieval.

To install this wonder enter the following

sudo apt install redis-server

Once installed lets go and configure it

sudo apt install redis-server

We dont have to do much, the only thing we are going to do is enable the redis socket, and make it writable.

Find ;unixsocket /var/run/redis/redis.sock and remove the ;
It should look like this
unixsocket /var/run/redis/redis.sock

Next right under it you should see unixsocketperm 700, go ahead and change it to this
unixsocketperm 766

Ctrl + x followed by y then enter to save

Now restart the Redis server

sudo service redis restart

Step 7: Nextcloud Installer

Go back to your browser and navigate to your nextcloud server’s domain name.

Create Admin

Enter the username and password you would like for the admin account.

Set Data Folder

Enter /media/nextcloud

Database config

For the database user, enter the mysql user we created back in step 3 followed by the password you used in the database password field.

For the database name, enter “nextcloud” unless you chose a different name back in step 3.

Leave localhost alone

Step 8: Final Configuration of nextcloud’s config.php

We are going to be adding 2 things to nextcloud’s config.php. 1 is to enable prettyurls.

Pretty URLs remove the index.php-part in all Nextcloud URLs, for example in sharing links like https://ncsite.com/index.php/s/somethingmaking URLs shorter and prettier. Second is to enable the Redis Caching Server.

First lets open the config in nano

sudo nano /opt/nextcloud/config/config.php

Next add this line under ‘overwrite.cli.url’ => ‘https://ncsite.com/’,

...
'overwrite.cli.url' => 'https://ncsite.com/',
'htaccess.RewriteBase' => '/',

Now to add the Redis server, goto the end of the file right after ‘installed’ => true, and right before );

*NOTE* Make sure you set a good secure password, as redis does not
use authentication and anyone with access could potentially read
the cache

'memcache.local' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
     'host' => '/var/run/redis/redis.sock',
     'port' => 0,
     'dbindex' => 0,
     'password' => 'secret',
     'timeout' => 1.5,
      ),

and finally we can add a cron job to automate nextcloud’s background tasks

crontab -u www-data -e

If it prompts you for which editor you would like to use, choose nano (2)

Once in nano, goto the bottom of the file and add this

*/15  *  *  *  * php -f /var/www/nextcloud/cron.php

Step 9: Nextcloud Settings

From the desktop browser, navigate back to your new nextcloud domain and login. 

Once logged in, click the top right colored circle with the first letter of your username and then “Settings”

Then “Basic settings” in the menu on the left.

Under “Background Jobs”, change it from AJAX to Cron.


You have finished install Nextcloud!

I will write a guide on setting up and securing SSL as well as an in-depth guide on setting up and using some of the bigger addons available

If you are interested I will also be writing a guide on how to install collabora both from source and from docker in the future along with a guide on OwnPad and maybe EtherCalc.

Hope you enjoyed it, and if you have any topics you would like me to cover please comment below!

Securing SSH & Installing Fail2Ban

fail2ban

This is in my opinion the most important first step for any new linux server.  Now this is just a basic guide on securing your server from any malicious attackers trying to gain access to your server, and I will write another article on further hardening at a later date.

This is a loose continuation of my previous article, How to Installing the LAMP Stack.

SSH is the most common part of server management and is widely used by most website & servers out on the internet, because it is so common it is a easy target for attackers due to server admins failing to configure it properly against attack, so today I am going to teach you some easy ways to protect your own server with these easy steps.

Before we start, make sure your have nano installed on your system, most installs should already have this but if yours does not, go ahead and enter this:

sudo apt install nano -y

Step 1: Creating a login Banner & Motd

This is the most basic of security features meant soley for that 1% of attackers who see your site and think i’m going to try and hack it, or for you to show off to your friends to make your server look official. Whatever your reason it works as a basic first line of defense.

First lets create the initial banner that displays when you are prompted for your username/password

sudo echo "###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################" >/etc/issue.net

or

sudo nano /etc/issue.net

###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################

Ctrl + Y

After that lets create the banner that displays after a successful login

sudo echo"#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################">/etc/motd

or

sudo nano /etc/motd

#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################

Ctrl + Y

Step 2: Editing the SSH Servers config

Lets first start off by creating a backup, just in case

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

After thats out of the way lets start editing

sudo nano /etc/ssh/sshd_config

First thing you can do and this is totally optional (I personally do not do it) is change your ssh port.  I plan on doing a writeup in the future on how to install a honeypot which I will link here when I do, and if you want to run that then you would need to change this.  This is also the single easiest thing you can do to cut down somewhere around 90-95% of all the attacks against your ssh port since most attackers port scan blocks of ip for known ports and attack from that list, changing the default port would prevent your server from going on that list.

*NOTE* An SSH Honeypot is a false ssh server that can be configured to accept any username/password and allow the attacker to enter a false/fake filesystem to see what they try.

To change the port look for this line

Port 22

and change 22 to anything you want i.e.

Port 2022

Second this we need to do is disable root login.  This will prevent anyone from being able to login to the server using the root credentials, also no one should be using root let alone be allowed to login using it.

Locate this line

PermitRootLogin prohibit-password

and change it to this

PermitRootLogin no

The next 2 steps are optional, but still recommended

Third, we need to set a max idle time, this will kick users that idle longer then 10 minutes (adjustable).  ClientAliveInterval tells the server to check if the client is still alive every 300 seconds or 5 minutes (adjustable) after no data has been received.  ClientAliveCountMax is the amount of checks it will need to fail before it kicks the client (2×5 minutes).

ClientAliveInterval 300
ClientAliveCountMax 2

Fourth and final step is to limit the users that are allowed to ssh into your server.  This is very convenient if you plan on create users as a way of segregating web apps and/or data. (although there are other better alternatives but who am I to judge)

AllowUsers user1 user2 user3

Step 3: Installing and setting up Fail2Ban

Fail2Ban is great, it is a program that parses log files and bans ip’s that show malicious signs.  For our needs it will parse the ssh servers logs in real time looking for any attackers, once found it will not only ban them, but it can also send you a email notification as well as perform a few more tasks like also banning them from cloudflare, emailing you a whois report and logs, complaining to their ISP, and sending the ip to larger managed blocklists.

Lets start off by installing it

sudo apt install fail2ban -y

After it has been installed lets edit the config

sudo nano /etc/fail2ban/jail.conf

First thing we want to do is change the find time, to me 10 minutes isn’t really that long, but feel free to skip this step.

locate findtime = 600

and change to

findtime = 86400 ; 24 hours

Next we need to configure the notification and action section

Locate destemail = root@localhost

and change it to your own email address (note you may get a lot of emails)

Locate sender = root@localhost

This one doesn't matter as much, but I like to name them fail2ban@server.com, note if you run your own mail server make sure the server is authorized to send emails in your SPF record.

Next locate action = %(action_)s

By itself it will ban without notification

action = %(action_mw)s ; will ban and email you a whois report

action = %(action_mwl)s ; will ban and email you a whois + logs

action = %(action_xarf)s ; will ban and email both you and the ISP logs

action = %(action_cf_mwl)s ; will ban on cloudflare and email you a whois + logs

After you have set the notification details and chosen an action to perform, we can enable services to be monitored.  Right now since we have only have ssh and apache installed we will go ahead and enable those to be monitored as well as repeat offenders.

Locate [sshd] and in the blank space add
enabled = true

Do the same for [selinux-ssh], [apache-auth], and [recidive]

In [recidive] we have a few other things to change

bantime = -1; -1 = forever
findtime = 604800 ; 1 week, feel free to set this to anything you wish but 1 day minimum

We will go over the others in later guides, so don't worry about them now unless you know for a fact you have one of them installed and know what it does.

Ctrl + Y to save

Then

sudo service fail2ban reload to have to use the updated config

Congratulations, you have taken a good first step in securing your server.

I will link my article on further hardening once it is finished if you wish to take your security a few steps further.

Also if you have any topics you would like me to cover, please let me know down in the comments.

Install the latest LAMP stack on Ubuntu 16.04 Server

lamp stack

A guide on installing the latest Apache2, Mariadb-server, and PHP7+ on Ubuntu 16

Note: You will need sudo access for the commands in this article


Video Walk-through Available


Step 1: Update / Upgrade Ubuntu

First, update ubuntu’s package manager.

sudo apt-get update && sudo apt-get upgrade

Next we need to install some packages that allows us to add more repositories to apt

sudo apt-get install software-properties-common language-pack-en

After those have been installed we need to add a few repositories maintained by Ondrej.  They contain the latest packages as maintained by the Debian Apache/PHP/Nginx teams with a couple of compatibility patches on top.

sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:ondrej/apache2
sudo add-apt-repository ppa:ondrej/nginx

Once the new repositories have been added we need to update/upgrade the package manager again.

sudo apt-get update && sudo apt-get upgrade

After the latest packages have been installed we are finally ready to start installing the stack.

First we have Apache

sudo apt install apache2

Followed by php7 and the most common extensions I usually require.

Note: You can install any version of PHP from 5.6 to 7.2 by replacing 
the version number you want with 7.0
It is also not recommended to use 5.6 as it is EOL, and 7.1/7.2 may not be
supported by all packages out there

sudo apt install php7 php7.0-bcmath php7.0-curl php7.0-cli php7.0-gdphp7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-zip php7.0-json php7.0-tidy 

sudo apt install libapache2-mod-php7.0

Last part of the stack is MySQL server.  Here we are going to be installing Mariadb Server 10.  It is a drop in replacement for MySQL Server 5.7 and is regarded as a faster, more secure alternative 

sudo apt install mariadb-server

Followed by setting it up for the first time

sudo mysql_secure_installation

Here is the basic walk-through on the setup:

Enter current password for root - Press the Enter/Return key

Set root password? - Y
Type in a secure password twice - You are going to want something
secure here especially if you plan on using a webgui to manage your
databases

Remove anonymous users? - Y - This removed the default/test user
accounts

Disallow root login remotely? - Y - Makes root user only accessible from
localhost / 127.0.0.1

Remove test database and access to it? - Y - Remove test databases/tables, a security threat and not for production

Reload privilege tables now? - Y - Refreshes the authentication tables,
enforces the changes above

Congratulations, you have successfully install the LAMP stack.