In part 2 of setting up our OwnCloud server we get to the good part. That’s right we are going to actually get the server running!

Firstly we are going to download the image for a manual installation and then we are going to configure a basic running instance. First off lets create a temporary directory to download the OwnCloud files and download them. For me the latest version of OwnCloud was 5.0.12, you can check for the latest version at the OwnCloud link below.

mkdir ~/temp/
cd temp/
wget http://download.owncloud.org/community/owncloud-5.0.12.tar.bz2
tar jxf owncloud-5.0.12.tar.bz2

Next we want to make sure we have all of the dependencies of OwnCloud. Run the following commands to make sure we do. These are the dependencies listed on the OwnCloud site, if like me you plan on MySQL, then you should be able to omit the SQLite packages without any problems.

sudo apt-get install apache2 php5 php5-gd php-xml-parser php5-intl
sudo apt-get install php5-sqlite php5-mysql php5-pgsql smbclient curl libcurl3 php5-curl

Once they have installed correctly we can copy the OwnCloud files to our web server directory, which is /var/www/ First though, we want to remove the simple html file that is in our web server directory. Then we need to change the ownership to of the three following folders in our web server directory: apps/, data/ and config/ directories.

sudo rm /var/www/index.html
sudo cp -r ~/temp/owncloud/* /var/www/ 

Once the files have copied, we can test to see if they have copied correctly. Simple type the IP address of your server, in my case 192.168.2.100, into your web browser. Dont worry if you get errors, we still have some more configuring to do. One problem that I found when following the OwnCloud manual installation instructions was that the OwnCloud installation was unable to create a data/ directory. So I simply created it manually, not wanting to give the www-data user write privileges in the web server folder. Then we need to change the ownership to of the three following folders in our web server directory: apps/, data/ and config/ directories.

sudo mkdir /var/www/data/
sudo chown -R www-data:www-data /var/www/apps/
sudo chown -R www-data:www-data /var/www/data/
sudo chown -R www-data:www-data /var/www/config/

Now when you refresh the OwnCloud page in your browser you should get a login screen with an error about .htaccess. This is the next part of our configuration, which is apache itself. With security in mind, it seems a given that we should be using secure http for all access to our OwnCloud server. The first thing we need to do is generate our keys and then generate a Certificate Signing Request. To keep our file system tidy, lets do all the work in our temp directory. Firstly we need to generate our secure key which will ask for a pass phrase. If you want maximum security you should make it a complex password which you will have to enter every time apache restarts. If you want to leave the pass phrase, you can skip commands 3 – 5. I don’t want to have to enter the pass phrase on start-up however, so I am going to remove it. Once the password has been removed we then generate our CSR. It doesn’t really matter what information you put into the CSR, just remember the challenge password.

cd ~/temp/
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
openssl req -new -key server.key -out server.csr

Now we need to generate our Self Signed Certificate. I wanted my certificate to last for 10 years so I don’t have to worry about it, but you can change it to however long you want. Then it is just a simple matter of copying the certificate and key to the appropriate folders.

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now we need to enable the SSL module in apache and make a backup of the config file before we update it. While we are working on modifying apache we will also enable the rewrite module. OwnCloud needs this enabled and it will save us an apache restart later down the track.

sudo a2enmod ssl
sudo a2enmod rewrite
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl.backup sudo nano /etc/apache2/sites-available/default-ssl

Now change the following two settings to tell apache what key and certificate to use. These two settings are just below the SSLEngine on setting.

SSLCertificateFile    /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

While we are in the default-ssl file we might as well make the necessary changes to stop the .htaccess error as well. At the top of the file change the first two AllowOverride from None to All. It should end up looking something like this.

<Directory />
                Options FollowSymLinks
                AllowOverride All
</Directory>
<Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
</Directory>

Save and exit the config file and restart apache.

sudo service apache2 restart

You should now be able to go to the https:// version of your site. If you check out the certificate information, you should see the information you entered while creating it.

The next step for me was to change where OwnCloud was storing its user data. I want the data to be stored on a NAS system that I have rather than on the local hard drive. This requires an entry into the fstab file so ubuntu will automount it at start-up. If you are happy with OwnCloud storing the user data on the local hard drive you can skip the next few steps.

sudo nano /etc/fstab

Then I added the following to the bottom of the file. This is for my specific setup, you will need to modify accordingly to suit your needs.

//192.168.2.101/homes /var/www/data cifs credentials=/home/<username>/.smbcredentials,uid=www-data,gid=www-data,file_mode=0770,dir_mode=0770 0 0

Save and exit. We then need to create a file called .smbcredentials which will hold our NAS login details.

sudo nano ~/.smbcredentials

Now enter you NAS login details then save and exit. Now we want to make the file so that only the root user can read it. That way any would be hackers need root access to be able to get your NAS login details.

sudo chmod 400 ~/.smbcredentials

If you were to try to read .smbcredentials now as a standard user, you will get permission denied. The next step is to tell ubuntu to go back through the fstab file and mount them all.

sudo mount -a

The data directory should now be pointing to you NAS. To test it out create a file or folder in the directory you pointed to on your NAS. Then if you list the files in the data directory of your OwnCloud server it should appear.

sudo ls -l /var/www/data/

Don’t worry, we are getting very close to being able to log in to our OwnCloud Server! Now we need to set up a MySQL database. If you are planning on using SQLite then you can skip the following steps. First we need to log into MySQL as the root user. Use the password you entered when you installed MySQL.

mysql -u root -p

Now enter the following commands. Change the username and password to what you want your database login details to be.

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
quit

Now if you go to your browser and navigate to your OwnCloud server we can log on. This first time you are entering the login details of your administrator user. You can choose any username and password combination that you want. You will also need to drop down the advanced section and enter the MySQL details you just made. If all has gone to plan you should be able to click Finish Setup and log in as your administrator.

Congratulations on setting up your very own OwnCloud server. I hope my log of what I did was useful to you. As always if you have any questions or comments hit me up below.

 

By Ryan Sevelj

 

Sources:

owncloud.org

https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

https://help.ubuntu.com/lts/serverguide/httpd.html

Owncloud is the most advanced and user-friendly cloud software suite that I have been able to find. It is under active development and features are constantly being added. Today we will look at getting a simple web server set up with SSH access and simple security measures installed.

Here are the steps I used to set up my OwnCloud server. It is based on a fresh, updated install of Ubunter Server 12.04 LTS with the SSH server, LAMP server and samba server selected during installation. While I have taken all the steps I know of to set this up securely, I am not a security professional and this in no way represent advise. They are merely the steps I took to set up my own server. At the bottom of the post I will provide the sources for my information.

The first thing I did was set up a static IP address for the server. This will make it much easier to use SSH, which is my preferred method to access the machine.

sudo nano /etc/network/interfaces

I then changed the interface I was using as follows.

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.2.150
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
dns-nameservers 192.168.2.1

After saving and exiting nano, the networking service needs to be restarted. This will make it use the new settings.

sudo /etc/init.d/networking restart

Once the service has restarted you should now be able to ping the outside world to test the new settings. It is now a simple matter for me to use SSH to remotely access my server using the following command from my laptop. When prompted for the password, simply use the password you created for the user on your server.

ssh <username>@192.168.2.150

Now that we have made our lives a little more easy and comfortable with our laptop access we need to make ourselves a cuppa. Now we can think about serious things like security for our server. I am not going to flog a dead horse and repeat all the great information that the good folks around the internet have put up, so just check the links if you want to see why I done things the way I have. The first thing I wanted to do was to secure my SSH further. The first step was to generate SSH keys, this allows me to disable password access via SSH making much harder to brute force guess the password. The first step is to generate the keys on your laptop and then copy them to the server. It is recommended that you choose a strong pass-phrase for you SSH keys as this will slow anyone down who has stolen you key from accessing your server.

ssh-keygen -t rsa -b 4096
ssh-copy-id @192.168.2.150
ssh-add

Now you should be able to access your server with SSH without having to enter your users password. If you still have to enter the password try rebooting both machines. If that still has not given you password less access then check the troubleshooting in the links below. If you continue on with the following steps you will lock yourself out from SSH access if your keys are not working! You have been warned. Now, onwards and upwards.

The next step is to lock SSH down a bit. Firstly, we will change the ssh port, disable access by password authentication, prevent the root user from being able to log in, limit which users can gain access via SSH, increase the access logging level and add a banner. Sounds like quite a lot, but fortunately it is all in a single SSH configuration file. Before we make any changes though, it is always a good idea to make a backup of the config file and make it read only.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Now we are set to make our changes.

sudo nano /etc/ssh/sshd_config

Find the following lines and make sure they are the same as below. Again there is more info in the links below. I had to add the AllowUsers line to the bottom of the config file. Note here that I did not use port 1234, that is just an example. I recommend that you choose a random port number too.

Port 1234
PasswordAuthentication no
PermitRootLogin no
LogLevel VERBOSE
Banner /etc/issue.net
AllowUsers

Save the changes and exit the sshd_config file. Now we need to make our banner. You can put any information you want on your banner. I chose to put the legal mumbo jumbo that is on the Ubuntu help page.

sudo nano /etc/banner.net

Save the changes and then restart the SSH server.

sudo restart ssh

The next time you go to SSH into your server you will need to change you command as follows. The 1234 should be the port you specified in your sshd_config file.

ssh <username>@192.168.2.150 -p 1234

The next step I took was to secure MySQL a bit more. MySQL has a built-in tool that will automatically go through and secure it for you. The only default I didn’t go with through this tool was the change the root password. This was because i had already set my password during the server installation process.

sudo mysql_secure_installation

The final step I took was install to Fail2ban. This is a handy program that will monitor your system logs and try to block any malicious activity.

sudo apt-get install fail2ban

We then just have to configure fail2ban for our setup.

sudo nano /etc/fail2ban/jail.conf

These are the changes to the config file that I made.

[DEFAULT]
bantime = 6000

[ssh]
port = 1234
maxretry = 3

[apache]
enabled = true

Save the changes and exit the file. I then rebooted the system before progressing on.

sudo reboot

In Part 2 of setting up your personal OwnCloud server, we will take a look at getting it downloaded and set-up. If you have any tips or suggestions feel free to drop a comment below. Stay tuned for the next instalment.

 

By Ryan Sevelj

 

Sources:

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

https://help.ubuntu.com/community/SSH/OpenSSH/Keys

http://www.fail2ban.org/wiki/index.php/Main_Page