rss-icon twitter-icon

THE TIN HAT

The Tin Hat

Owncloud 7 Server Setup Guide with Debian

I've heard some pretty terrible things about Owncloud. Despite being asked to write a tutorial on it multiple times, I never actually bothered because of the number of bugs that I'd heard about. But with the release of Owncloud 7 I thought I'd give it a try. All I can say is that Owncloud Fucking Rocks.

If you haven't heard of it before, Owncloud is essentially a full cloud storage suite that you install on your own server. This means that you are in absolute full control of your data. Through the web client you can upload, download, and edit files with version backups. You can also sync your calendar, tasks, contacts, pictures, and even collaboratively edit ODT documents. The desktop client lets you select which folders you want to sync to your Owncloud server, and runs in the background constantly backing up any files you add, or even edit.

Owncloud also allows you to create multiple users with different privilege levels and storage quotas, between which you can share files. You can also create links to share and edit files, either publicly or protected with a password.

Owncloud even has app support, with several apps preinstalled, and a whole host of third party apps that you can install yourself. One of the pre-installed apps that's disabled by default is file encryption. This will encrypt all your files at rest using the user's password. While this still requires the server operator to be trusted, it's a pretty nice feature to tack on. There are also apps to stream music and movies, RSS readers (which you should use, while subscribing to The Tin Hat), email clients, and some to even tell you the weather.

Personally, I run Owncloud on a server I have sitting in my house, and if you have such a luxury I encourage you to do so as well. But, since not everyone has a server sitting around, this tutorial will describe setting up an Owncloud server on a Digital Ocean droplet. Of course any other VPS provider will work, but Digital Ocean is user friendly, cheap ($5 a month for 20GB), and fast. You can also use this referral link to get a $10 credit worth two months for free.

Let's get started

digital ocean droplet setup

The first step is to set up the server on Digital Ocean. Hop over to DigitalOcean.com and make an account. Once you have an account click the "Create" button on the left to get started with your server. Enter a hostname of your choice, and select whatever size of server you wish to use. The basic tier is enough to run OwnCloud, but if 20GB isn't enough for you or you want to run other programs as well consider using a higher tier. Pick a region of your choice, then move on to which operating system you want to run. This tutorial will be using Debian 7 x64, but any other flavor of Linux will work too, though the commands may be slightly different. Lastly, consider enabling backups. These provide you some disaster recovery, but tack a bit onto the price as well (you can still perform backups without this option, they just won't be automated). Finally, click the big ol' "Create Droplet" button, and wait for your login credentials to be emailed to you.

Command Line Time | Prepping the Server

Now that you have your server set up with its IP address and password in your mailbox, open up a terminal window (Windows users will have to install Putty to use SSH). Type in this command, with the IP address replacing the X's of course:

ssh server@xxx.xxx.xxx.xxx

You will be prompted to accept the server's new fingerprint, as well as to re-enter the password and change it. Do so with a strong password, and then enter the following commands:

apt-get update && apt-get upgrade

This will update all the software already installed on the server. Next you'll want to create a new user, since operating as root is generally considered a pretty bad idea.

adduser [insert_name_here]

Give this user a fairly strong password, but don't worry about entering in any of the other information it asks for. Now we'll give the user the ability to get higher-level privileges with what is called sudo. The reason that we do this is that once again logging into the server as root is dangerous, as root has the ability to do (almost) absolutely anything on the server. The user account that we just created is stuck with a lower set of privileges, which means it's able to do less damage. But sometimes we still need to do things that only root is able to do, and that's what sudo is for. Entering sudo before any command will run that command as if the root user ordered it. Moreover, sudo does extra logging, allowing you to audit for suspicious activity. To give the new user sudo, simply type in

visudo

Here, you'll be presented with a configuration file. Look for the following section, and add your user as well (as you see my user is named bob). After doing so, save and close the file by hitting 'Control+X' and then 'Y'.

# User privilege specification
root ALL=(ALL:ALL) ALL
bob ALL=(ALL:ALL) ALL

It's time to log out of the server as root, and log back in as your new user. To do so, simply type 'exit' then press enter. Now log in again the same way you did the first time, replacing 'root' with whatever username you chose. Now we're going to do a bit of work to make sure the server is secure, or at least a bit more secure than default. The first thing we're going to do is edit who can log into SSH, and how they can do so. So type in this command:

sudo nano /etc/ssh/sshd_config

Now look through the file, and search for PermitRootLogin, and change it to no. Also, change the port to something other than 22, and preferably over 1000. Be absolutely sure to write down this new port number, as it will be used several more times throughout the tutorial. The reason we change the SSH port is to help protect against bots which scan the internet for weak servers to attack. Lastly, add the AllowUsers line, followed by your username. This will increase security by only allowing your account to log in through SSH.

PermitRootLogin no
Port [insert a new SSH port here]
AllowUsers bob

Note: It would be very wise to disallow password based logins and use SSH keys instead. You just need to safeguard your key files.

Now we have to reload SSH to load the new configuration. If you don't do this you'll get locked out of your server! Also note that the next time you log in to the server you'll have to add "-p [port number]" to the SSH command you've been issuing so far (for example 'ssh bob@123.123.123.123 -p 1921'):

sudo service ssh reload

With SSH configured a bit better, let's install a couple of other programs to set up a simple firewall, and also blacklist anyone who tries to log in multiple times with a bad password:

sudo apt-get install fail2ban ufw -y

UFW (Uncomplicated FireWall) provides a basic way to set up a firewall, which we'll get to in a second. Fail2ban monitors for multiple failed login attempts. Ifs someone fails to log in more than the set number of times (default is six), then that IP will be banned for a set amount of time (default is 10 minutes). This makes it much more difficult to try and brute force the password. Of course we'll have to configure this a bit, enter these two commands to generate then edit the configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Because we changed the SSH port we're going to have to change the Fail2ban configuration a little bit too. In the configuration file you just opened look for the following section and change the port number to whatever you changed the SSH port to:

[ssh]
enabled = true
port = [insert your SSH port here]
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

Just like we did with SSH, after configuring Fail2ban it's time to reload it:

sudo service fail2ban reload

Now that we have Fail2ban configured, let's move on to setting up a very basic firewall. The following commands will set up UFW so that by default all ports are completely blocked except for SSH and the port we'll need to use Owncloud (Warning: make sure to allow your new non-standard SSH port BEFORE enabling UFW. In other words, make sure to issue all the following commands in order):

sudo ufw default deny
sudo ufw allow [insert your SSH port here]
sudo ufw allow 443
sudo ufw enable

Setting Up Owncloud

With the server somewhat secure, we can now set up Owncloud itself. The first step is to add the OpenSuse Owncloud repository, in other words the source for where you'll download Owncloud:

sudo nano /etc/apt/sources.list.d/owncloud.list

Now copy and paste this into the new file you just created, then save and close it (again, 'Control+X' and then 'Y'):

deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_7.0/ /

Enter the following commands into the terminal to add Opensuse's key:

wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key
sudo apt-key add - < Release.key

Finally, it's time to install Owncloud!

sudo apt-get update && sudo apt-get install owncloud -y

Congrats, OwnCloud is now installed! But we need to make a quick change to the server to enable SSL:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo service apache2 reload

Lastly, we need to go back into the sudoers file to lock down sudo for the future

su
visudo

[Replace bob ALL=(ALL:ALL) ALL with:]
bob ALL=/usr/bin/apt-get, /usr/sbin/service, /usr/sbin/ufw

That change will only allow sudo to update software, restart services (such as Apache), and modify firewall rules. Once you're done then exit out of root by typing 'exit', and move on to logging into Owncloud!

The Web Interface

Its time to log into your Owncloud installation. Open up your web browser and type into the URL bar (again, swapping the X's out for your servers IP address):

https://xxx.xxx.xxx.xxx/owncloud

You should now be greated with a page asking you to create a new admin account! Just enter your desired username and a strong password, and you're pretty much set! There are a few tweaks you can make once you're inside, such as enforcing HTTPS on the admin page (although this is somewhat redundant), as well as enabling the encryption app under the Apps page. But you should now have a working Owncloud server!

owncloud web interface

Remember to download the desktop client as well and start syncing your folders to the server. There's also smartphone apps you can download so that you can access your files on the go. Lastly, check out the Owncloud Apps page to find extra awesome apps you can add to your Owncloud server.


Support The Tin Hat when you sign up for Digital Ocean and get a $10 credit free!