Tutorial: Wie Ihr Eure Nextcloud-Installation mit Fail2Ban absichern könnt

Oliver Pifferi

Stolzer Familienvater. Digital Native und Cloud-Evangelist. Multimedia-Freak. Bekennender USA- und UK-Fan. Blogger mit stets zu wenig Zeit. Hobbyphilosoph. #JustMetal. Querdenker. Zyniker. Hauptberuflicher IT-Consultant- & Vertriebler. Auch zu finden bei LinkedIn. Dieser Artikel hat einen Job oder zumindest Euren Seelenfrieden gerettet und gegebenenfalls sogar für Kurzweil gesorgt? Die PayPal-Kaffeekasse freut sich - dankeschön!

2 Antworten

  1. Philip Meyer sagt:

    THX for source 🙂
    Debian 9 to 14 by philip.meyer@twistermax.de 26.11.2018

    sources:
    https://stackoverflow.com/questions/11621053/redirect-http-to-https-on-default-virtual-host-without-servername
    https://www.modius-techblog.de/linux/nextcloud-https-mit-self-signed-zertifikat-einrichten/?cookie-state-change=1543222540896
    https://ollis.blog/tutorial-wie-ihr-eure-nextcloud-installation-mit-fail2ban-absichern-koennt/
    https://www.howtoforge.com/tutorial/install-nextcloud-server-and-client-on-debian-9/
    https://nextclouders.de/nextcloud-in-weniger-als-20-minuten/

    1.) apt update
    2.) apt upgrade
    3.) reboot
    4.) apt install mc open-vm-tools –> open-vm-tools nur bei ESXi oder Workstation
    5.) reboot
    ——————————————————————————–
    6.) apt-get install apache2 mariadb-server
    7.) systemctl start apache2
    8.) systemctl enable apache2
    9.) systemctl start mysql
    10.) systemctl enable mariadb
    11.) apt install libapache2-mod-php php7.0 php7.0-xml php7.0-cgi php7.0-cli php7.0-gd php7.0-curl php7.0-zip php7.0-mysql php7.0-mbstring wget unzip
    ——————————————————————————-
    12.) mysql_secure_installation
    13.) every question until „change root password“ to answer yes
    14.) mysql -u root -p
    15.) CREATE DATABASE nextclouddb;
    16.) CREATE USER ’nextcloud’@’localhost‘ IDENTIFIED BY ‚mypassword‘;
    17.) GRANT ALL PRIVILEGES ON nextclouddb.* TO ’nextcloud’@’localhost‘;
    18.) FLUSH PRIVILEGES;
    19.) \q
    20.) mysql -u nextcloud -p
    21.) use nextcloud
    22.) \q
    ——————————————————————————-
    23.) wget https://download.nextcloud.com/server/releases/latest.zip
    24.) unzip latest.zip
    25.) mv nextcloud /var/www/html/
    26.) chown -R www-data:www-data /var/www/html/nextcloud
    27.) nano /etc/apache2/sites-available/nextcloud.conf
    27a.)
    ServerAdmin admin@example.com
    DocumentRoot „/var/www/html/nextcloud“
    ServerName 192.168.0.187

    Options MultiViews FollowSymlinks

    AllowOverride All
    Order allow,deny
    Allow from all

    TransferLog /var/log/apache2/nextcloud_access.log
    ErrorLog /var/log/apache2/nextcloud_error.log

    28.) a2dissite 000
    29.) a2ensite nextcloud
    30.) systemctl restart apache2
    ———————Firewall————————————————–
    31.) apt install ufw
    32.) ufw enable
    33.) ufw allow 22
    34.) ufw allow 80
    35.) ufw allow 443
    ——————————————————————————
    36.) configure on your ip-address http://XXX.XXX.XXX.XXX with a bowser
    37.) admin-name,admin-password, db-connection usw.
    ————————-secure ssh——————————————-
    38.) i’ve you got another user (not root), you can go to the next step, otherwise:
    useradd -g users -d /home/(newuser) -s /bin/bash (newuser)
    passwd (newuser)
    mkdir /home/(newuser)
    chown (newuser):users /home/(newuser)/
    39.) nano /etc/ssh/sshd_config
    40.) edit in sshd_config „PermitRootLogin yes“ to „PermitRootLogin no“
    41.) /etc/init.d/ssh reload
    ————————-fail2ban———————————————
    42.) apt install fail2ban
    43.) cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    44.) nano /etc/fail2ban/jail.local
    –> [DEFAULT] bantime = 86400
    –> [DEFAULT] findtime = 600
    –> [DEFAULT] maxretry = 3
    45.) in jail.local section [jail] add:
    [nextcloud_logins]
    enabled = true
    logpath = /var/www/html/nextcloud/data/nextcloud.log
    port = http,https
    46.) in jail.local section [jail] add:
    [nextcloud_logins]
    enabled = true
    logpath = /var/www/html/nextcloud/data/nextcloud.log
    port = http,https
    47.) nano /etc/fail2ban/filter.d/nextcloud_trusted.conf
    line 1:[Definition]
    line 2:failregex = ^.*\“remoteAddr\“:\“\“.*Trusted domain error.*$
    48.) nano /etc/fail2ban/filter.d/nextcloud_logins.conf
    line 1:[Definition]
    line 2:failregex = ^.*\“remoteAddr\“:\“\“.*Login failed:.*$
    49.) systemctl restart fail2ban
    50.) nano /var/www/html/nextcloud/config/config.php
    add the following lines:
    ‚logfile‘ => ‚/var/nextcloud_data/nextcloud.log‘,
    ‚loglevel‘ => 2,
    51.) service fail2ban restart
    ————————–activate ssl——————————————
    52.) a2enmod ssl
    53.) systemctl restart apache2
    54.) openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/nextcloud.key -out /etc/apache2/ssl/nextcloud.crt
    55.) nano /etc/apache/sites-avaiable/nextcloud-ssl.conf
    add:

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/nextcloud
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/nextcloud.crt
    SSLCertificateKeyFile /etc/apache2/ssl/nextcloud.key

    56.) a2ensite nextcloud-ssl.conf
    57.) systemctl restart apache2
    ——————————Redirect Port 80——————————–
    58.) nano /etc/apache2/sites-available/nextcloud.conf change to this:

    ServerName yourdomain
    RedirectPermanent / https://yourdomain/

  2. Dirk sagt:

    thanks for the instructions, really helpful!

    one thing that did not work for me, the filter.d filename seems to need to match the name of the section in the jail.local, so:

    filter.d/nextcloud.conf
    —-
    [INCLUDES]

    # Read common prefixes. If any customizations available — read them from
    # common.local
    before = common.conf

    [Definition]

    failregex = ^.*\“remoteAddr\“:\“\“.*Login failed:.*$
    ^.*\“remoteAddr\“:\“\“.*Trusted domain error.*$

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*