Merge pull request #14 from riegercloud/work

Work consolidated
2026-03-08 05:31:52 +00:00 · 2018-04-24 12:40:28 +02:00
parent 9f92ba275c 693df229ba
commit 06ca42f7da
2 changed files with 139 additions and 20 deletions
--- a/README.md
+++ b/README.md
@@ -1,8 +1,9 @@
 # install-nextcloud
 Install, optimize and harden your self hosted Nextcloud (based on Ubuntu 16.04.x LTS 64Bit) using two shell scripts only.

-The initial script (install-nextcloud.sh) will install your self hosted Nextcloud within few minutes fully automated. Your server will be built of:
+The initial script (install-nextcloud.sh) will install and optimize your self hosted Nextcloud within few minutes fully automated. Your server will be built of:

+    Fail2Ban (nextcloud and ssh jails)
    MariaDB
    Nextcloud 13.0.1
    NGINX 1.14
@@ -10,10 +11,10 @@ The initial script (install-nextcloud.sh) will install your self hosted Nextclou
    PHP 7.2.4
    Redis-Server
    self signed certificates or Let's Encrypt SSL
+    UFW (22,80,443)

-The only precondition for this script is to use Ubuntu 16.04.4 LTS 64Bit as your server OS.
-
-Configure your Nextcloud in your preferred browser and participate of the opportunity to issue the second script called "optimizations.sh", which will optimize your Nextcloud (cache, previews, cron etc.) and  install + configure fail2ban and ufw to harden your Nextcloud server. At least you may request a ssl certificate from letsencrypt by issuing the third script called "ssl-certificat.sh".
+The only precondition for both scripts is to use Ubuntu 16.04.4 LTS 64Bit as your server OS.
+At least (optionally) you may request a ssl certificate from letsencrypt by issuing the second script called "ssl-certificat.sh".

 Ready to go? Let's start:

--- a/install-nextcloud.sh
+++ b/install-nextcloud.sh
@@ -24,6 +24,13 @@ function restart_all_services() {
 /usr/sbin/service redis-server restart
 /usr/sbin/service php7.2-fpm restart
 }
+###global function to scan Nextcloud data and generate an overview for fail2ban & ufw
+function nextcloud_scan_data() {
+sudo -u www-data php /var/www/nextcloud/occ files:scan --all
+sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data
+fail2ban-client status nextcloud
+ufw status verbose
+}
 cd /usr/local/src
 update_and_clean
 ###prepare the server environment
@@ -215,19 +222,19 @@ innodb_file_format=barracuda
 innodb_file_per_table=1
 EOF
 clear
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "The Nextcloud-DB username and the Nextcloud-DB password - Attention: case-sensitive:"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "Keep both in mind - you will be asked for while finishing the Nextcloud-Wizard!"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "The Nextcloud-DB username and password - Attention: password is case-sensitive:"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 read -p "Nextcloud DB-Username: " NEXTCLOUDDBUSER
+echo ""
 echo "Your Nextcloud-DB user: "$NEXTCLOUDDBUSER
 echo ""
 read -p "Nextcloud DB-Password: " NEXTCLOUDDBPASSWORD
+echo ""
 echo "Your Nextcloud-DB password: "$NEXTCLOUDDBPASSWORD
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 ###restart MariaDB server andconnect to MariaDB
 service mysql restart && mysql -uroot <<EOF
@@ -424,9 +431,9 @@ rm latest.tar.bz2
 update_and_clean
 restart_all_services
 clear
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "The Nextcloud-Administrator and Password - Attention: password is case-sensitive:"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Nextcloud-Administrator and password - Attention: password is case-sensitive:"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 echo "Your Nextcloud-DB user: "$NEXTCLOUDDBUSER
 echo ""
@@ -438,20 +445,131 @@ echo ""
 read -p "Enter your Nextcloud Administrator password: " NEXTCLOUDADMINUSERPASSWORD
 echo "Your Nextcloud Administrator password: "$NEXTCLOUDADMINUSERPASSWORD
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo ""
+echo "Your NEXTCLOUD will now be installed silently - please be patient ..."
 echo ""
-echo " NEXTCLOUD will now be installed silently - be patient ..."
 sudo -u www-data php /var/www/nextcloud/occ maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "$NEXTCLOUDDBUSER" --database-pass "$NEXTCLOUDDBPASSWORD" --admin-user "$NEXTCLOUDADMINUSER" --admin-pass "$NEXTCLOUDADMINUSERPASSWORD" --data-dir "/var/nc_data"
 declare -l YOURSERVERNAME
-###read the current hostname
+###read and store the current hostname in lowercases
 YOURSERVERNAME=$(hostname)
 sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$YOURSERVERNAME
 sudo -u www-data sed -in 's/http:\/\/localhost/https:\/\/'$YOURSERVERNAME'/' /var/www/nextcloud/config/config.php
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+###backup of the effected file .user.ini
+cp /var/www/nextcloud/.user.ini /var/www/nextcloud/.user.ini.bak
+###apply Nextcloud optimizations
+sudo -u www-data sed -i "s/upload_max_filesize=.*/upload_max_filesize=10240M/" /var/www/nextcloud/.user.ini
+sudo -u www-data sed -i "s/post_max_size=.*/post_max_size=10240M/" /var/www/nextcloud/.user.ini
+sudo -u www-data sed -i "s/output_buffering=.*/output_buffering='Off'/" /var/www/nextcloud/.user.ini
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sudo -u www-data php /var/www/nextcloud/occ background:cron
+###apply optimizations to Nextclouds global config.php
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+cat <<EOF >>/var/www/nextcloud/config/config.php
+'activity_expire_days' => 14,
+'auth.bruteforce.protection.enabled' => true,
+'blacklisted_files' =>
+array (
+0 => '.htaccess',
+1 => 'Thumbs.db',
+2 => 'thumbs.db',
+),
+'cron_log' => true,
+'enable_previews' => true,
+'enabledPreviewProviders' =>
+array (
+0 => 'OC\\Preview\\PNG',
+1 => 'OC\\Preview\\JPEG',
+2 => 'OC\\Preview\\GIF',
+3 => 'OC\\Preview\\BMP',
+4 => 'OC\\Preview\\XBitmap',
+5 => 'OC\\Preview\\Movie',
+6 => 'OC\\Preview\\PDF',
+7 => 'OC\\Preview\\MP3',
+8 => 'OC\\Preview\\TXT',
+9 => 'OC\\Preview\\MarkDown',
+),
+'filesystem_check_changes' => 0,
+'filelocking.enabled' => 'true',
+'htaccess.RewriteBase' => '/',
+'integrity.check.disabled' => false,
+'knowledgebaseenabled' => false,
+'logtimezone' => 'Europe/Berlin',
+'log_rotate_size' => 104857600,
+'memcache.local' => '\\OC\\Memcache\\APCu',
+'memcache.locking' => '\\OC\\Memcache\\Redis',
+'preview_max_x' => 1024,
+'preview_max_y' => 768,
+'preview_max_scale_factor' => 1,
+'redis' =>
+array (
+'host' => '/var/run/redis/redis.sock',
+'port' => 0,
+'timeout' => 0.0,
+),
+'quota_include_external_storage' => false,
+'share_folder' => '/Shares',
+'skeletondirectory' => '',
+'trashbin_retention_obligation' => 'auto, 7',
+);
+EOF
+###remove leading whitespaces
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+restart_all_services
+update_and_clean
+###installfail2ban
+apt install fail2ban -y
+###create a fail2ban Nextcloud filter 
+touch /etc/fail2ban/filter.d/nextcloud.conf
+cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
+[Definition]
+failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
+            ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
+            ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*\$
+EOF
+###create a fail2ban Nextcloud jail
+touch /etc/fail2ban/jail.d/nextcloud.local
+cat <<EOF >/etc/fail2ban/jail.d/nextcloud.local
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 36000
+findtime = 36000
+logpath = /var/nc_data/nextcloud.log
+EOF
+update_and_clean
+###install ufw
+apt install ufw -y
+###open firewall ports 80+443 for http(s)
+ufw allow 80/tcp
+ufw allow 443/tcp
+###open firewall port 22 for SSH
+ufw allow 22/tcp
+###enable UFW (autostart)
+ufw enable
+###restart fail2ban, ufw and redis-server services
+/usr/sbin/service ufw restart
+/usr/sbin/service fail2ban restart
+/usr/sbin/service redis-server restart
+###clean up redis-server
+redis-cli -s /var/run/redis/redis.sock <<EOF
+FLUSHALL
+quit
+EOF
+restart_all_services
+nextcloud_scan_data
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
-echo " Open your browser and call: https://$YOURSERVERNAME"
-echo""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo " Open your browser and call your Nextcloud at"
+echo ""
+echo " https://$YOURSERVERNAME"
+echo ""
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 exit 0