@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I have successfully installed Nextcloud thanks to the plethora of great content available from community members. The next step for me is how do I secure it? For that, Nextcloud has a great document found HERE which details some steps you can to better secure it. As a Linux noob, I don't have much of a clue as to how to even accomplish some of these things.

My question then is for those of you who install Nextcloud regularly, what steps do you consistently take to secure your setups? Change SSH port? Fail2ban? DMZ? How do your security measures differ (or do they) if installed locally vs colo vs Vultr? Any steps given on what you do would be appreciated as a learning tool for myself and others who come across this.

@scottalanmiller said in Certbot Apache plugin broken in Fedora 26:

I ran into this issue, forgot about this thread, went through LetsEncrypt's threads and their solution for this problem led me... here! Very nice.

Just did the exact same thing. Let'sEncrypt forum had the link which led me here right about the time @JaredBusch was responding in my other thread.

@scottalanmiller said in Install Nextcloud 11.03 on Fedora 25 Minimal:

@zachary715 FYI... Fedora 27 is the current version.

Yes I understand. Fedora 26 I already had on hand and this would give me a chance to get Nextcloud up and running and then do the upgrade to Fedora 27 to see that process as we discussed the other day.

I'm trying this now on Fedora 26 Minimal and Nextcloud 12.0.4. Everthing goes smoothly until I get to install the SSL cert. This is the first message I see regarding certbot during installation.

   Installing       : certbot-0.19.0-1.fc26.noarch           73/73
   Running scriptlet: certbot-0.19.0-1.fc26.noarch           73/73
ValueError: File context for /etc/(letsencrypt|certbot)/(live|archive)(/.*)? already defined
restorecon: lstat(/etc/letsencrypt) failed: No such file or directory
Running as unit: run-r45b016845f8b4d91ba5cd0819576f126.service

I didn't initially notice this so I moved on.

[root@nextcloud nextcloud]# certbot --apache certonly --email [email protected] --domain cloud.domain.com --agree-tos --non-interactive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
The requested apache plugin does not appear to be installed

So then I'm thinking the apache plugin didn't install. Ran dnf install python-certbot-apache again and it came back as installed. This is when I noticed the first message during the initial installation attempt.

I then checked the logs below

 [root@nextcloud nextcloud]# cat /var/log/letsencrypt/letsencrypt.log
2017-12-21 15:13:03,500:DEBUG:certbot.main:certbot version: 0.19.0
2017-12-21 15:13:03,501:DEBUG:certbot.main:Arguments: ['--apache', '--email', '[email protected]', '--domain', 'cloud.domain.com', '--agree-tos', '--non-interactive']
2017-12-21 15:13:03,501:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-12-21 15:13:03,514:DEBUG:certbot.log:Root logging level set at 20
2017-12-21 15:13:03,514:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-12-21 15:13:03,516:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-12-21 15:13:03,516:DEBUG:certbot.plugins.selection:No candidate plugin
2017-12-21 15:13:03,516:DEBUG:certbot.plugins.selection:No candidate plugin
2017-12-21 15:13:03,516:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2017-12-21 15:13:03,516:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
2017-12-21 15:13:03,517:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 765, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python3.6/site-packages/certbot/plugins/selection.py", line 201, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python3.6/site-packages/certbot/plugins/selection.py", line 297, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The requested apache plugin does not appear to be installed

When I ran through this procedure for CentOS7 few days back I had no issues. Has the apache plugin required changed? What am I missing?

EDIT: I also ensured certbot installed successfully with dnf install certbot and it came back as installed.

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@dashrender said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@dashrender said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@dashrender said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@dashrender said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@irj said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

Recently my family has asked me a lot of security related questions due to increased paranoia via the media. They wanted a way for them to send files securely. I of course said I can give them access to my Nextcloud server for their personal use but only for sending files, not for storing them indefinitely. I don't want to have to go into /var/www/nextcloud/data/ to audit what they have and how long they have had it there, so I wanted to create a cron job that deletes anything that has existed for 7 days, but only for certain users. Any advice or resources you guys have to offer would be appreciated, including alternative methods. Thanks.

Just add space to your server and let your parent's have a regular account with regular permissions or or have them pay for a hosted server

My fiance's Mom and Dad are the worst kind of computer paranoid. When you combine that with how frugal they are it's almost unworkable. After a conversation about how paranoid they were about viruses/bad websites I offered to build a $2.50/month pi-hole server on Vultr that the entire family can use and that was too much money to give you an idea of what I'm talking about here.

LOL - OMG, then they really aren't that paranoid, because clearly they aren't willing to do what must be done to get over the paranoia.

I'm convinced these people like to live in a constant state of fear. There is no other explanation for their behavior.

Now sure why this is your problem to solve?

Not a Psychiatrist, just the best damned IT tech they know. Since I'm the only one I'm also the worst IT tech they know too.

LOL - but you allow yourself to be made to work for them for free.

I'm not as heartless as @JaredBusch , but I definitely don't do things that cause issue for me.

It's not that much work though. I'm just giving them access with some restrictions

until it breaks, or they forget how to use it, etc, etc, etc... it's a life long commitment to support.

When you get married you are also marrying their family. Someone help me

PREACH

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

@irj said in Self-Imposed Nextcloud Limitations:

@wirestyle22 said in Self-Imposed Nextcloud Limitations:

Recently my family has asked me a lot of security related questions due to increased paranoia via the media. They wanted a way for them to send files securely. I of course said I can give them access to my Nextcloud server for their personal use but only for sending files, not for storing them indefinitely. I don't want to have to go into /var/www/nextcloud/data/ to audit what they have and how long they have had it there, so I wanted to create a cron job that deletes anything that has existed for 7 days, but only for certain users. Any advice or resources you guys have to offer would be appreciated, including alternative methods. Thanks.

Just add space to your server and let your parent's have a regular account with regular permissions or or have them pay for a hosted server

My fiance's Mom and Dad are the worst kind of computer paranoid. When you combine that with how frugal they are it's almost unworkable. After a conversation about how paranoid they were about viruses/bad websites I offered to build a $2.50/month pi-hole server on Vultr that the entire family can use and that was too much money to give you an idea of what I'm talking about here.

This is not frugal, this is cheap. There is a difference

@jaredbusch said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@zachary715 said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@scottalanmiller said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

If you are doing fresh, I'd be doing it on Fedora 27 as well.

So the lifecycle of Fedora versions are around a year correct? On a server like this, can I assume the constant updating of the underlying OS won't negatively impact the NextCloud installation? (I'm coming from Windows world where this is always a consideration). Or are you guys constantly spinning up new VMs and migrating data that frequently?

Either way, I'll give it a shot so that it forces me to do it a little differently.

New versions come on a 6 month cycle. But I have never had something like this break things.

I am sure back when they first switched to systemd it would be an issue.

Yeah I just meant each version would get support for one year-ish. But ok I'll give that a shot then if I can find that guide.

In my ignorance, I wasn't really sure what "Shut down NextCloud" meant other than stop httpd so that's what I was doing. I also had to modify the commands from /data to /var/www/html/nextcloud/data/ since that's where the other guide had me put the data folder. I tried the commands initially as stated and got an error about not being able to find /data/

In the end, I could see the links created, however I started getting error messages when trying to delete test files I had sent up and such. No big deal. Now I will be attempting to redo this on Fedora server and set it up where /data is on the block storage from the start.

@scottalanmiller said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

If you are doing fresh, I'd be doing it on Fedora 27 as well.

So the lifecycle of Fedora versions are around a year correct? On a server like this, can I assume the constant updating of the underlying OS won't negatively impact the NextCloud installation? (I'm coming from Windows world where this is always a consideration). Or are you guys constantly spinning up new VMs and migrating data that frequently?

Either way, I'll give it a shot so that it forces me to do it a little differently.

Alright that's straightforward enough. I was able to mount the block storage and create the symlinks. Ran into a few issues, but no biggie. Now I'd like to scrap what I did and go through it again, except this time make the block storage the default location for the data.

Looking at the guide again, I can see where you create the data directory initially in
/var/www/html/nextcloud/data. I'm assuming we'll skip that step since our data will be in mounted volume /blockstorage.

Throughout the rest of the guide, am I essentially changing all the references to /var/www/html/nextcloud/data to /blockstorage?

What other steps should I be aware of?

@scottalanmiller said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

@zachary715 said in Install NextCloud 11.0.2 on CentOS 7 with PHP 7.1 from Remi:

• Could I migrate to this setup while running? It may be easier to do during installation, but again just trying to learn.

Migrating isn't hard but would require some downtime. Maybe just a few minutes, but it would not be zero.

Simple enough that you wouldn't mind walking me through it or pointing me in the right direction? Downtime isn't an issue since nothing is on it.

In a scenario where you might want the additional storage capacity in SSD therefore want to add a lot of block storage to an instance, would it make sense to install Nextcloud to the 25GB drive and then relocate the /var/www/html/nextcloud/data directory to the larger block storage space?

• Would there be benefits to this setup from a migration standpoint in the future or in case of boot drive failure?

• Not fully understanding yet what all of these steps are accomplishing during installation and setup, would creating this setup from the get-go be as easy as pointing some of these commands to the directory of the block storage, or more complicated than that? (Not asking you to necessarily show these steps, just inform me)

• Could I migrate to this setup while running? It may be easier to do during installation, but again just trying to learn.

I'm mainly doing this for personal learning and testing so I'll operate it as a span for the time being. If I decide if I want to get more serious with it, I'll look to grab some SATA storage instances if they come available or run it elsewhere. Thanks

@scottalanmiller When you say "not an ideal way to use your storage", are you referring to adding the block storage on top of the storage already provided in the instance, or trying to manually expand things after the fact?

I guess my question then is if I wanted this to be done right, am I better off just destroying this instance and going through it again, adding the block storage initially from the CentOS install menu? Or is adding the block storage to make the usable space larger not an ideal setup for nextcloud period?

I installed this VM in the NJ datacenter because I had a free 50GB promotional block storage available from a while back waiting to give this a go. I attached the block storage to the VM prior to install, however at the installation screens where you select disks, I wasn't sure how to go about it so I only selected the 25GB disk that came with the $5 instance.

Now that I have everything setup, running df-h is only showing the 25GB storage so I apparently should have chosen both disks. Is there a way to attach the block storage to this nextcloud instance now that it's up and running without having to redo the whole thing? Ideally, I would like to have the 25GB + 50GB block storage for a total of 75GB if possible.

I just completed this guide on Vultr using Nextcloud 12.0.4 and CentOS 7. No issues here. Thanks as these guides are getting me more familiar with Linux vs the appliance install.