Pieter: /* Introduction */

2020-06-23T20:23:21Z

Introduction

← Older revision		Revision as of 20:23, 23 June 2020
Line 1:		Line 1:
	= Introduction =		= Introduction =

	This document describes how to set up Nextcloud on a virtual private server (VPS) hosted by a cloud service provider that provides images for Arch Linux. We assume there is a DNS record in place that points the address <code>cloud.mydomain.net</code> to the IP address provided by the cloud service provider.		This document describes how to set up Nextcloud on a virtual private server (VPS) hosted by a cloud service provider that provides images for Arch Linux. We assume there is a DNS record in place that points the address <code>cloud.mydomain.net</code> to the IP address provided by the cloud service provider. Note that this is not a hardened installation, it is merely used for experimentation. More configuration is required to harden the installation.

	= Basic setup Arch Linux =		= Basic setup Arch Linux =

Pieter: Change source tags to pre

2020-06-23T20:21:08Z

Change source tags to pre

Show changes

Pieter: Add the Nextcloud installation part

2020-06-23T20:17:38Z

Add the Nextcloud installation part

Show changes

Pieter: Basic setup of Arch Linux

2020-06-23T20:15:03Z

Basic setup of Arch Linux

New page

= Comment =

For some reason the <source> tags don't work, will fix it later.

= Introduction =

This document describes how to set up Nextcloud on a virtual private server (VPS) hosted by a cloud service provider that provides images for Arch Linux. We assume there is a DNS record in place that points the address <code>cloud.mydomain.net</code> to the IP address provided by the cloud service provider.

= Basic setup Arch Linux =

== Initial setup ==

Since the system comes preinstalled with Arch Linux on it, the first thing to do is to update the system:

<source lang="bash">pacman -Syu

reboot

pacman -S base base-devel
</source>
== Add an administration user ==

We add a day-to-day administrator account:

<source lang="bash">useradd -m -g users -s /bin/bash admin
passwd admin
</source>
Make sure that <code>pacman</code> can be executed as user <code>admin</code>:

<source lang="bash">visudo
</source>
And add the following:

<source lang="bash">admin ALL=(ALL) NOPASSWD: /usr/bin/pacman
</source>
== Create a swap partition ==

The swap partition has already been activated, so there is nothing to do.

== Configure the language and locales ==

In file <code>/etc/locale.gen</code>:

<source lang="bash">en_US.UTF-8 UTF-8
</source>
Then execute:

<source lang="bash">locale-gen

echo LANG=en_US.UTF-8 > /etc/locale.conf
export LANG=en_US.UTF-8
</source>
Add the correct time zone, for example:

<pre class="commonlisp">ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
</pre>
== Time configuration ==

Since Arch sits in a virtual machine, we assume that the time is always correct.

== Random number generation ==

Random number generation is important for security, so we install the following tools:

<source lang="bash">pacman -S rng-tools

systemctl start rngd
systemctl enable rngd
</source>
To check the level of entropy we can do:

<source lang="bash">cat /proc/sys/kernel/random/entropy_available
</source>
Since it runs on a virtual machine, we are not really sure how representative the entropy is.

We can also run the following tests which should have very few failures:

<source lang="bash">cat /dev/random | rngtest -c 1000
cat /dev/urandom | rngtest -c 1000
</source>
The <code>rng-tools</code> service is preferred over <code>haveged</code>.

== Setting the hostname ==

Assuming we have a hostname <code>mydomainname.net</code> that points to our server's IP address:

In <code>/etc/hostname</code>:

<source lang="bash">cloud.mydomainname.net
</source>
In <code>/etc/hosts</code>:

<source lang="bash">127.0.1.1 cloud.mydomainname.net
</source>
After a reboot, we can check whether everything is set with the command <code>hostname -f</code>.

== Setting up the network ==

The network has been set up fine by the cloud provider.

== Setting up the firewall ==

We use <code>iptables</code> to set up the firewall. A chain is a set of rules. The chain INPUT is predefined for packets that enter the system.

First we set the policy for chain INPUT to target ACCEPT:

<source lang="bash">iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
</source>
We then flush all the chains:

<source lang="bash">iptables -F
ip6tables -F
</source>
A table in this context is a packet matching table. There are five predefined tables. The default table ''filter'', the tables ''nat'', ''mangle'', ''raw'', and ''security''. We flush the table ''nat'':

<source lang="bash">iptables -t nat -F
ip6tables -t nat -F
</source>
We then delete all the user-defined chains:

<source lang="bash">iptables -X
ip6tables -X
</source>
We then set the policy to drop every packet that enters the system (make sure you are logged in via a video display and not SSH):

<source lang="bash">iptables -P INPUT DROP
ip6tables -P INPUT DROP
</source>
We append to chain INPUT on the loopback interface <code>lo</code> to jump to target ACCEPT. This is important for applications that use local servers.

<source lang="bash">iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
</source>
We then append to chain INPUT on interface <code>ens3</code> a rule to accept connections with states ESTABLISHED and RELATED:

<source lang="bash">iptables -A INPUT -i ens3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i ens3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
</source>
We then make sure that incomming TCP connections are SYN packets to prevent SYN flooding:

<source lang="bash">iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
</source>
We also drop packets with incoming fragments. This is only for IPv4:

<source lang="bash">iptables -A INPUT -f -j DROP
</source>
We also drop bogons:

<source lang="bash">iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
</source>
We also reject malformed NULL packets:

<source lang="bash">iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
</source>
We can then store the firewall rules with the following commands:

<source lang="bash">iptables-save > /etc/iptables/iptables.rules
ip6tables-save > /etc/iptables/ip6tables.rules
</source>
To make the changes permanent, we can enable and start the Systemd service:

<source lang="bash">systemctl start iptables.service
systemctl enable iptables.service
systemctl status iptables.service

systemctl start ip6tables.service
systemctl enable ip6tables.service
systemctl status ip6tables.service
</source>
== Fail2ban ==

The service fail2ban is a service for detecting login attempts and blocking it.

We install it with:

<source lang="bash">pacman -S fail2ban
</source>
Using <code>systemd</code> we can sandbox the fail2ban service with capabilities. To do so, we create a new file <code>/etc/systemd/system/fail2ban.service.d/capabilities.conf</code> with the following contents:

<source lang="bash">[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
NoNewPrivileges=yes
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
</source>
Create configuration file <code>/etc/fail2ban/fail2ban.local</code> with the correct logtarget path:

<source lang="bash">[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
</source>
Create the <code>/var/log/fail2ban/</code> directory as root.

We have to set up paths for Arch Linux in a <code>jail.local</code> file:

<source lang="bash">[INCLUDES]
before = paths-arch.conf
</source>
== Yay ==

With yay, we can keep also the AUR packages up to date.

<source lang="bash">git clone https://aur.archlinux.org/yay.git
tar xvzf yay.tar.gz
cd yay
makepkg -s
pacman -U yay*.pkg.tar.xz
</source>
= SSH access =

== Configuration ==

The first service we would like to set up is SSH. We first configure the SSH daemon itself in file <code>/etc/ssh/sshd_config</code>:

<source lang="bash">PermitRootLogin no
TCPKeepAlive no
ClientAliveInterval 60
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
</source>
We then restart the daemon:

<source lang="bash">systemctl restart sshd
</source>
== The firewall ==

We have to open port 22 for SSH in our firewall:

<source lang="bash">iptables -A INPUT -i ens3 -p tcp --dport 22 -j ACCEPT
</source>
<source lang="bash">iptables-save > /etc/iptables/iptables.rules
ip6tables-save > /etc/iptables/ip6tables.rules
</source>
== Fail2ban ==

We add the following jails in <code>/etc/fail2ban/jail.d/</code>:

In <code>sshd.conf</code>:

<source lang="bash">[sshd]
enabled = true
</source>

Install Nextcloud on Arch Linux - Revision history

Pieter: /* Introduction */

Pieter: Change source tags to pre

Pieter: Add the Nextcloud installation part

Pieter: Basic setup of Arch Linux