From 1bfe0de388193e545ac906eca5fd50eddbb0c656 Mon Sep 17 00:00:00 2001 From: "rieger::CLOUD" Date: Tue, 24 Apr 2018 12:27:04 +0200 Subject: [PATCH 1/3] Consolidations script 1 and 2 --- install-nextcloud.sh | 150 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 134 insertions(+), 16 deletions(-) diff --git a/install-nextcloud.sh b/install-nextcloud.sh index b19622c..b0c98c3 100644 --- a/install-nextcloud.sh +++ b/install-nextcloud.sh @@ -24,6 +24,13 @@ function restart_all_services() { /usr/sbin/service redis-server restart /usr/sbin/service php7.2-fpm restart } +###global function to scan Nextcloud data and generate an overview for fail2ban & ufw +function nextcloud_scan_data() { +sudo -u www-data php /var/www/nextcloud/occ files:scan --all +sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data +fail2ban-client status nextcloud +ufw status verbose +} cd /usr/local/src update_and_clean ###prepare the server environment @@ -215,19 +222,19 @@ innodb_file_format=barracuda innodb_file_per_table=1 EOF clear -echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" -echo "The Nextcloud-DB username and the Nextcloud-DB password - Attention: case-sensitive:" -echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" -echo "Keep both in mind - you will be asked for while finishing the Nextcloud-Wizard!" -echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" +echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" +echo "The Nextcloud-DB username and password - Attention: password is case-sensitive:" +echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" echo "" read -p "Nextcloud DB-Username: " NEXTCLOUDDBUSER +echo "" echo "Your Nextcloud-DB user: "$NEXTCLOUDDBUSER echo "" read -p "Nextcloud DB-Password: " NEXTCLOUDDBPASSWORD +echo "" echo "Your Nextcloud-DB password: "$NEXTCLOUDDBPASSWORD echo "" -echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" +echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" echo "" ###restart MariaDB server andconnect to MariaDB service mysql restart && mysql -uroot <>/var/www/nextcloud/config/config.php +'activity_expire_days' => 14, +'auth.bruteforce.protection.enabled' => true, +'blacklisted_files' => +array ( +0 => '.htaccess', +1 => 'Thumbs.db', +2 => 'thumbs.db', +), +'cron_log' => true, +'enable_previews' => true, +'enabledPreviewProviders' => +array ( +0 => 'OC\\Preview\\PNG', +1 => 'OC\\Preview\\JPEG', +2 => 'OC\\Preview\\GIF', +3 => 'OC\\Preview\\BMP', +4 => 'OC\\Preview\\XBitmap', +5 => 'OC\\Preview\\Movie', +6 => 'OC\\Preview\\PDF', +7 => 'OC\\Preview\\MP3', +8 => 'OC\\Preview\\TXT', +9 => 'OC\\Preview\\MarkDown', +), +'filesystem_check_changes' => 0, +'filelocking.enabled' => 'true', +'htaccess.RewriteBase' => '/', +'integrity.check.disabled' => false, +'knowledgebaseenabled' => false, +'logtimezone' => 'Europe/Berlin', +'log_rotate_size' => 104857600, +'memcache.local' => '\\OC\\Memcache\\APCu', +'memcache.locking' => '\\OC\\Memcache\\Redis', +'preview_max_x' => 1024, +'preview_max_y' => 768, +'preview_max_scale_factor' => 1, +'redis' => +array ( +'host' => '/var/run/redis/redis.sock', +'port' => 0, +'timeout' => 0.0, +), +'quota_include_external_storage' => false, +'share_folder' => '/Shares', +'skeletondirectory' => '', +'trashbin_retention_obligation' => 'auto, 7', +); +EOF +###remove leading whitespaces +sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php +restart_all_services +update_and_clean +###installfail2ban +apt install fail2ban -y +###create a fail2ban Nextcloud filter +touch /etc/fail2ban/filter.d/nextcloud.conf +cat </etc/fail2ban/filter.d/nextcloud.conf +[Definition] +failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}$ + ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: ''\)".*}$ + ^.*\"remoteAddr\":\"\".*Trusted domain error.*\$ +EOF +###create a fail2ban Nextcloud jail +touch /etc/fail2ban/jail.d/nextcloud.local +cat </etc/fail2ban/jail.d/nextcloud.local +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 36000 +findtime = 36000 +logpath = /var/nc_data/nextcloud.log +EOF +update_and_clean +###install ufw +apt install ufw -y +###open firewall ports 80+443 for http(s) +ufw allow 80/tcp +ufw allow 443/tcp +###open firewall port 22 for SSH +ufw allow 22/tcp +###enable UFW (autostart) +ufw enable +###restart fail2ban, ufw and redis-server services +/usr/sbin/service ufw restart +/usr/sbin/service fail2ban restart +/usr/sbin/service redis-server restart +###clean up redis-server +redis-cli -s /var/run/redis/redis.sock < Date: Tue, 24 Apr 2018 12:27:45 +0200 Subject: [PATCH 2/3] Delete optimizations.sh --- optimizations.sh | 139 ----------------------------------------------- 1 file changed, 139 deletions(-) delete mode 100644 optimizations.sh diff --git a/optimizations.sh b/optimizations.sh deleted file mode 100644 index 520dba1..0000000 --- a/optimizations.sh +++ /dev/null @@ -1,139 +0,0 @@ -####################################################### -# Carsten Rieger IT-Services -# OPTIMIZATIONS.SH -# Version 1.2 -# April 23rd, 2018 -# version 1.2: remove whitespaces from config.php -# version 1.1: added functions -# Version 1.0: initial script -####################################################### -#!/bin/bash -###global function to update and cleanup the environment -function update_and_clean() { -apt update -apt upgrade -y -apt autoclean -y -apt autoremove -y -} -###global function to restart all cloud services -function restart_all_services() { -/usr/sbin/service nginx restart -/usr/sbin/service mysql restart -/usr/sbin/service redis-server restart -/usr/sbin/service php7.2-fpm restart -} -###global function to scan Nextcloud data and generate an overview for fail2ban & ufw -function nextcloud_scan_data() { -sudo -u www-data php /var/www/nextcloud/occ files:scan --all -sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data -fail2ban-client status nextcloud -ufw status verbose -} -###backup of the effected file -cp /var/www/nextcloud/.user.ini /var/www/nextcloud/.user.ini.bak -###apply optimizations -sudo -u www-data sed -i "s/upload_max_filesize=.*/upload_max_filesize=10240M/" /var/www/nextcloud/.user.ini -sudo -u www-data sed -i "s/post_max_size=.*/post_max_size=10240M/" /var/www/nextcloud/.user.ini -sudo -u www-data sed -i "s/output_buffering=.*/output_buffering='Off'/" /var/www/nextcloud/.user.ini -sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak -sudo -u www-data php /var/www/nextcloud/occ background:cron -###apply optimizations to Nextclouds config.php -sed -i '/);/d' /var/www/nextcloud/config/config.php -cat <>/var/www/nextcloud/config/config.php -'activity_expire_days' => 14, -'auth.bruteforce.protection.enabled' => true, -'blacklisted_files' => -array ( -0 => '.htaccess', -1 => 'Thumbs.db', -2 => 'thumbs.db', -), -'cron_log' => true, -'enable_previews' => true, -'enabledPreviewProviders' => -array ( -0 => 'OC\\Preview\\PNG', -1 => 'OC\\Preview\\JPEG', -2 => 'OC\\Preview\\GIF', -3 => 'OC\\Preview\\BMP', -4 => 'OC\\Preview\\XBitmap', -5 => 'OC\\Preview\\Movie', -6 => 'OC\\Preview\\PDF', -7 => 'OC\\Preview\\MP3', -8 => 'OC\\Preview\\TXT', -9 => 'OC\\Preview\\MarkDown', -), -'filesystem_check_changes' => 0, -'filelocking.enabled' => 'true', -'htaccess.RewriteBase' => '/', -'integrity.check.disabled' => false, -'knowledgebaseenabled' => false, -'logtimezone' => 'Europe/Berlin', -'log_rotate_size' => 104857600, -'memcache.local' => '\\OC\\Memcache\\APCu', -'memcache.locking' => '\\OC\\Memcache\\Redis', -'preview_max_x' => 1024, -'preview_max_y' => 768, -'preview_max_scale_factor' => 1, -'redis' => -array ( -'host' => '/var/run/redis/redis.sock', -'port' => 0, -'timeout' => 0.0, -), -'quota_include_external_storage' => false, -'share_folder' => '/Shares', -'skeletondirectory' => '', -'trashbin_retention_obligation' => 'auto, 7', -); -EOF -###remove leading whitespaces -sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php -restart_all_services -update_and_clean -###installfail2ban -apt install fail2ban -y -###create a fail2ban Nextcloud filter -touch /etc/fail2ban/filter.d/nextcloud.conf -cat </etc/fail2ban/filter.d/nextcloud.conf -[Definition] -failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}\$ -^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: ''\)".*}\$ -^.*\"remoteAddr\":\"\".*Trusted domain error.*\$ -EOF -###create a fail2ban Nextcloud jail -touch /etc/fail2ban/jail.d/nextcloud.local -cat </etc/fail2ban/jail.d/nextcloud.local -[nextcloud] -backend = auto -enabled = true -port = 80,443 -protocol = tcp -filter = nextcloud -maxretry = 3 -bantime = 36000 -findtime = 36000 -logpath = /var/nc_data/nextcloud.log -EOF -update_and_clean -###install ufw -apt install ufw -y -###open firewall ports 80+443 for http(s) -ufw allow 80/tcp -ufw allow 443/tcp -###open firewall port 22 for SSH -ufw allow 22/tcp -###enable UFW (autostart) -ufw enable -###restart fail2ban, ufw and redis-server services -/usr/sbin/service ufw restart -/usr/sbin/service fail2ban restart -/usr/sbin/service redis-server restart -###clean up redis-server -redis-cli -s /var/run/redis/redis.sock < Date: Tue, 24 Apr 2018 12:30:39 +0200 Subject: [PATCH 3/3] Update README.md --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ee2ec56..590dde2 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ # install-nextcloud Install, optimize and harden your self hosted Nextcloud (based on Ubuntu 16.04.x LTS 64Bit) using two shell scripts only. -The initial script (install-nextcloud.sh) will install your self hosted Nextcloud within few minutes fully automated. Your server will be built of: +The initial script (install-nextcloud.sh) will install and optimize your self hosted Nextcloud within few minutes fully automated. Your server will be built of: + Fail2Ban (nextcloud and ssh jails) MariaDB Nextcloud 13.0.1 NGINX 1.14 @@ -10,10 +11,10 @@ The initial script (install-nextcloud.sh) will install your self hosted Nextclou PHP 7.2.4 Redis-Server self signed certificates or Let's Encrypt SSL + UFW (22,80,443) -The only precondition for this script is to use Ubuntu 16.04.4 LTS 64Bit as your server OS. - -Configure your Nextcloud in your preferred browser and participate of the opportunity to issue the second script called "optimizations.sh", which will optimize your Nextcloud (cache, previews, cron etc.) and install + configure fail2ban and ufw to harden your Nextcloud server. At least you may request a ssl certificate from letsencrypt by issuing the third script called "ssl-certificat.sh". +The only precondition for both scripts is to use Ubuntu 16.04.4 LTS 64Bit as your server OS. +At least (optionally) you may request a ssl certificate from letsencrypt by issuing the second script called "ssl-certificat.sh". Ready to go? Let's start: