Install ownCloud 8.x on CentOS 7

JaredBusch

With ownCloud now working, you should secure logins with fail2ban

Install fail2ban
yum -y install fail2ban

create the initial jail file
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

add ownlcoud to the jail.local
nano /etc/fail2ban/jail.local

paste this data in at the bottom

[owncloud]
enabled = true
filter  = owncloud
port    = http,https
# 'This is the data path we set earlier. Change if yours is different.'
logpath = /home/owncloud/data/owncloud.log

Create the owncloud filter file
nano /etc/fail2ban/filter.d/owncloud.conf

Paste in the following ONLY FOR ownCloud 8.2
Other regex patterns can be found in this thread

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}

ignoreregex =

Start fail2ban and enable it to start on boot
systemctl start fail2ban
systemctl enable fail2ban

Note: This is only securing ownCloud. Consult the jail.local to enable other protections you may want.

JaredBusch

Note, I am still having issues with getting the SELinux labels right and currently still have it set to permissive.

Alex Sage

@JaredBusch said:

Note, I am still having issues with getting the SELinux labels right and currently still have it set to permissive.

Did you ever get this fixed?

JaredBusch

@anonymous said:

@JaredBusch said:

Note, I am still having issues with getting the SELinux labels right and currently still have it set to permissive.

Did you ever get this fixed?

Maybe? I have installed another server and I am not having the same problems. I have not had time to track it down yet.

JaredBusch

Coming back to this. Everything is running correctly with SELinux on except fail2ban.

I have to disable SELinux in order for fail2ban to have access to the owncloud.log file.

[root@owncloud log]# systemctl start fail2ban
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.
[root@owncloud log]# setenforce 0
[root@owncloud log]# systemctl start fail2ban
[root@owncloud log]#

-- Unit fail2ban.service has begun starting up.
Feb 24 15:13:26 owncloud fail2ban-client[15984]: ERROR  No file(s) found for glob /home/owncloud/data/owncloud.log
Feb 24 15:13:26 owncloud fail2ban-client[15984]: ERROR  Failed during configuration: Have not found any log file for owncloud ja
Feb 24 15:13:26 owncloud systemd[1]: fail2ban.service: control process exited, code=exited status=255
Feb 24 15:13:26 owncloud systemd[1]: Failed to start Fail2Ban Service.

[root@owncloud log]# ls -l /home/owncloud/data/owncloud.log
-rw-r-----. 1 apache apache 38136 Feb 24 15:09 /home/owncloud/data/owncloud.log
[root@owncloud log]#

Alex Sage

@JaredBusch seems the solution is here:

https://kerrenortlepp.wordpress.com/2015/03/16/setting-up-a-centos-7-server-for-owncloud-from-start-to-finish/

JaredBusch

@aaronstuder he is editing files when there are generally commands to do it. Just been to busy to look it up.

JaredBusch

** NOTE ** This post is asusming that you followed the instruction above to this point and I have not yet posted below that the instructions have been updated.

I need to find a little spare time to update my instructions, but everything is now working with SELinux enforcing.

the config and apps folder in the application directory need httpd read/write context in SELinux.

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/apps(/.*)?'
restorecon -R /var/www/html/owncloud/apps
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/config(/.*)?'
restorecon -R /var/www/html/owncloud/config

Then the owncloud.log file needs to be in the /var/log/ folder and have the httpd_log context

systemctl stop httpd
mv /home/owncloud/data/owncloud.log /var/log/owncloud.log
semanage fcontext -a -t httpd_log_t '/var/log/owncloud.log'
restorecon /var/log/owncloud.log

#-- edit the owncloud config to add a non-default log path
 nano /var/www/html/owncloud/config/config.php
#-- insert this next to another config line
'logfile' => '/var/log/owncloud.log',
#-- save and exit nano then start httpd back up
systemctl start httpd

Update the fail2ban jail.local, turn on SELinux and start fail2ban

systemctl stop fail2ban
sed -i -e 's/\/home\/owncloud\/data/\/var\/log/' /etc/fail2ban/jail.local
setenforce 1
systemctl start fail2ban

wirestyle22

So I performed this install specifically because I wanted to go through the upgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

scottalanmiller

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

RPM for owncloud-files? It will automatically download the new version?

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

rpm --import https://download.owncloud.org/download/repositories/9.0/CentOS_7/repodata/repomd.xml.key
wget http://download.owncloud.org/download/repositories/9.0/CentOS_7/ce:9.0.repo -O /etc/yum.repos.d/ce:9.0.repo

^this?

scottalanmiller

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

rpm --import https://download.owncloud.org/download/repositories/9.0/CentOS_7/repodata/repomd.xml.key
wget http://download.owncloud.org/download/repositories/9.0/CentOS_7/ce:9.0.repo -O /etc/yum.repos.d/ce:9.0.repo

^this?

Ah yes, you need the repo. But nothing beyond that.

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

rpm --import https://download.owncloud.org/download/repositories/9.0/CentOS_7/repodata/repomd.xml.key
wget http://download.owncloud.org/download/repositories/9.0/CentOS_7/ce:9.0.repo -O /etc/yum.repos.d/ce:9.0.repo

^this?

Ah yes, you need the repo. But nothing beyond that.

so just the bottom line or both parts? (sorry)

scottalanmiller

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

rpm --import https://download.owncloud.org/download/repositories/9.0/CentOS_7/repodata/repomd.xml.key
wget http://download.owncloud.org/download/repositories/9.0/CentOS_7/ce:9.0.repo -O /etc/yum.repos.d/ce:9.0.repo

^this?

Ah yes, you need the repo. But nothing beyond that.

so just the bottom line or both parts? (sorry)

You CAN skip the key, but it is good to have it.

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

So I performed this install specifically because I wanted to go through the uprgrade process to oC 9.0 All I can see is to download the owncloud-files package. Is that really all that is required?

If you use RPM, you should not even need to download something.

rpm --import https://download.owncloud.org/download/repositories/9.0/CentOS_7/repodata/repomd.xml.key
wget http://download.owncloud.org/download/repositories/9.0/CentOS_7/ce:9.0.repo -O /etc/yum.repos.d/ce:9.0.repo

^this?

Ah yes, you need the repo. But nothing beyond that.

so just the bottom line or both parts? (sorry)

You CAN skip the key, but it is good to have it.

Awesome. Thanks!

wirestyle22

Worked like a charm

wirestyle22

As an alternative I also tried to do yum -y upgrade owncloud and that worked as well

JaredBusch

@wirestyle22 said:

As an alternative I also tried to do yum -y upgrade owncloud and that worked as well

The original instructions in this post explicitly setup the 8.2 repo not the generic repo. So that is why it would not upgrade to 9.

wget http://download.owncloud.org/download/repositories/8.2/CentOS_7/ce:8.2.repo -O /etc/yum.repos.d/ce:8.2.repo

wirestyle22

@JaredBusch said:

@wirestyle22 said:

As an alternative I also tried to do yum -y upgrade owncloud and that worked as well

The original instructions in this post explicitly setup the 8.2 repo not the generic repo. So that is why it would not upgrade to 9.

wget http://download.owncloud.org/download/repositories/8.2/CentOS_7/ce:8.2.repo -O /etc/yum.repos.d/ce:8.2.repo

I see. Thanks!