Installing OwnCloud On Ubuntu Server 12.04 With SSL Support

Tired of paying for dropbox services? Why not use owncloud to setup your own personal and secure dropbox for free :)

 

Follow the steps below as root:

 

  1. Bash in to get root access… ( sudo bash ).
  2. Install server dependances ( apt-get install apache2 php5 php5-gd php-xml-parser php5-intl vim-nox ).
  3. Install more server dependances ( apt-get install php5-sqlite php5-mysql php5-pgsql smbclient curl libcurl3 php5-curl ).
  4. Download owncloud source files from http://owncloud.org/sync-clients/#linux
  5. Upload extracted files to your apache root ( default is located at /var/www ), you can install vsftpd server( apt-get install vsftpd )or any other type of ftp server service.
  6. Inside your owncloud root directory create a new folder called “data” ( mkdir data )
  7. For owncloud to configure & work correctly apache needs to be given ownership of certain folders so their is no problem for apache to read and write data inside your website.Run the following commands.
    ( chown -R www-data:www-data /var/www/apps )
    chown -R www-data:www-data /var/www/config )
    chown -R www-data:www-data /var/www/data )Note: Keep in mind that /var/www is just the default root folder of apache yours might be different, just make sure you make the appropriate changes so they point to your apache/web install.

     

  8. Your going to want to enable mod_rewrite ( a2enmod rewrite ).
  9. Restart your apache service ( service apache2 restart )
  10. Create a new database in mysql and call it owncloud, create a new user and password with specific access to the owncloud database. These credentials will be used later in the process.

 

Now lets install our SSL and get it configured correctly:

 

  1. Enable SSL Module ( a2enmod ssl )
  2. Now your going to want to create a directory to store your SSL certs ( mkdir /etc/apache2/ssl )
  3. now lets generate a general cert with the following command ( openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt )

    Note: Your going to be asked a couple of questions after you run this command, answer them as accurate as possible as this will be displayed on your cert when people try to access your site.
  4. Edit default-ssl in sites-available folder in your apache install ( vim /etc/apache2/sites-available/default-ssl ) and comment out lines add the following lines 51 & 52 (use a #).
    Then add the following lines right under
    (

    SSLCertificateFile /etc/apache2/ssl/apache.crt

    SSLCertificateKeyFile /etc/apache2/ssl/apache.key 

    )

     

  5. Finally run ( a2ensite default-ssl )
  6. Restart your apache service ( service apache2 restart )

 

At this point your should be able to visit your box’s url ( https://localhost or https://127.0.0.1 or https://www.yourdomain.com ) and finish installing owncloud with the native install wizard.
Once your install is complete you will be able to download ownclouds own filesync client or you can use a WebDAV client to navigate through your files. You can do the same for your mobile device or tablet.

Securing Apache In Ubuntu Server 12.04

Securing Apache can be different if you have custom modules running,  for this quick note/tutorial I am going to assume that it is a fresh install of Apache or a lamp stack (sudo apt-get install lamp-server^)…

 

bash in… (sudo bash)

as root:

  • Change default apache web root, vim /etc/apache2/sites-available
  • Change default ServerSignature Settings to “Off”, vim /etc/apache2/conf.d/security
  • Change default ServerTokens Settings to “Prod”, vim /etc/apache2/conf.d/security

 

I am sure you can do a lot more to “secure” your apache installation, but this is a good start, it will hide your server information from port scanners and scripts trying to detect what your server version is. This makes it much harder to exploit your box, it’s hard to exploit something you have no idea what its running.
You can also make your default directory your home directory if you wish to encrypt your files. If you want more security I would consider tools to encrypt the entire partition/drive, you can find out more about full disk encryption for uOS Server 12.04 here.

Installing And Securing phpmyadmin In Ubuntu Server 12.04/12.04.2

This post is important because phpmyadmin no longer just works after apt-get install, it requires additional steps to get working.
Aside from these changes, due to recent reports on phpmyadmin being exploited it’s important to secure it, you can do this in a couple of ways but I am going to assume you want access to it via web.

2 Parts

  1. Installation of phpmyadmin
  2. Securing the installation via htaccess
  3. Discussing more secure methods of accessing phpmyadmin

 

Lets begin the install muahahaha…

 

Enter root mode:

sudo bash

 

Install:

apt-get install phpmyadmin

 

Open Apache Config File

vim /etc/apache2/apache2.conf

 

Insert the following line at the very bottom of apache2.conf

Include /etc/phpmyadmin/apache.conf

 

Restart Apache server:

service apache2 restart

 

Securing phpmyadmin from public access to web panel…

 

Edit phpmyadmin’s apache configuration file:

vim /etc/phpmyadmin/apache.conf

 

Under the directory section (<Directory /usr/share/phpmyadmin>), add the line “AllowOverride All” under “Directory Index”:

        <Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

 

create .htaccess file in phpmyadmin’s root directory:

vim /usr/share/phpmyadmin/.htaccess

Copy the following into the newly created .htaccess file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/.htpasswd (make sure you set this path to a secure place outside your web root)
Require valid-user

 

Generate the password file where passwords will be stored for authentication/access to phpmyadmin root

htpasswd -c  /var/.htpasswd username (username should be your username, you will be asked for your password once you execute the command)

 

Restart Apache so updates can take effect:

service apache2 restart

 

If you want this to be more secure then I would suggest rethinking your server/network architecture…

  1. seperate your apache and mysql services into their own box
  2. only have apache server open on port 80 (public) and have it talk to your mysql server locally.
  3. if you need to change something in your database or need to access phpmyadmin I would vpn into your local network and access the mysql/phpmyadmin box.

If you have any questions or comments use the section below :)

NIC Bonding In Ubuntu 12.04/12.04.2 WORKING!

 

 

A REAL setup guide for NIC bonding in Ubuntu Server 12.04/12.04.2 because everyone online sucks at actually posting the correct information, probably due to the current explosion of online “experts” plagiarizing other “experts” online…

This was tested on a HP DL380 with Dual Broadcom NICS.

enter root mode:

sudo bash

 

then install the bonding drivers:

apt-get install ifenslave-2.6

 

edit /etc/network/interfaces

vim /etc/network/interfaces

 

You can pretty much copy the following into interfaces after line 5 # The loopback network interface

################################################

 

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
 bond-master bond0

auto eth1
iface eth1 inet dhcp
 bond-master bond0

auto bond0
iface bond0 inet static
 address 192.168.1.xxx  <----------( Enter Your Actual Server IP )
 netmask 255.255.255.0  <----------( Enter Your Actual Subnet )
 gateway 192.168.1.1     <----------( Enter Your Actual router/gateway IP )
 bond-slaves none
 bond-miimon 100
 bond-mode balance-rr ( Driver Mode )

 

################################################

edit /etc/modules

vim /etc/modules

 

and add bonding under rtc value

loop
lp
rtc
bonding

 

reboot your box or restart network services, Thats pretty much it… questions or comments? Use the comment functionality :)

Setting up a FUNCTIONING LAMP Stack on Ubuntu Server 10.4

This is a quick tutorial *notes* for me as I constantly have to look for these simple things every time I have to install a lamp server on a nix box.
If you do this kind of stuff to this list might come in handy

  1. install Ubuntu 10.4 LTS
  2. install ssh server [ sudo apt-get install openssh-server ]
  3. install text editor [ sudo apt-get install vim ]
  4. install lamp stack [ sudo apt-get install lamp-server^ ]
  5. install ftp server [ sudo apt-get install vsftpd ]
  6. install phpmyadmin [ sudo apt-get install phpmyadmin ]
  7. install mail server [ sudo aptitude install postfix ]

This should pretty much set you up with a complete/working dev nix box.
You might also need this in some cases…

  1. cURL PHP module [ sudo apt-get install php5-curl ]
  2. IMAP PHP module [ sudo apt-get install php5-imap ]

If you experience any problems hit me up.

Bonding Network Cards & Load Balancing in Ubuntu Server 10.4 LTS

Afters a couple of hours wasted looking online for the answers I ended up coming up with my own. I use vim as my text editor sooooo… if you use nano or whatever just use that.

The Following configuration is ideal for Load Balancing scenarios, you can find our more about different bond modes at the bottom of the post.

 

Lets install the correct software to support the bonding…
sudo apt-get install ifenslave 

 

open up a shell/terminal window and edit…
sudo vim /etc/network/interfaces

 

Copy this info, replacing the ip’s provided with your own…

#The Loopback Network Interface

auto lo
iface lo inet loopback

#The Primary Network Interface

iface eth0 inet manual
iface eth1 inet manual
auto bond0

iface bond0 inet static
bond_miimon 100
bond_mode balance-rr
address 192.168.1.x <——————- USE YOUR OWN LOCAL IP (ASSIGN IT ONE)
netmask 255.255.255.0 <—————- USE YOUR OWN LOCAL SUBNET
gateway 192.168.1.1 <——————- USE YOUR OWN LOCAL GATEWAY IP
up ifenslave bond0 eth0 eth1
down ifenslave -d bond0 eth0 eth1


Save and exit

 

now open aliases.conf…
sudo vim /etc/modprobe.d/aliases.conf

 

copy this…

alias bond0 bonding
options bonding mode=0 miimon=100 downdelay=200 updelay=200

 

Save, Exit and Reboot your computer…
sudo reboot

 

This is tested and working in a live environment with dual GB nics, if you have any problems or would like to bond more then 2 nics leave a comment as the topic is beyond this quick post.

 

MODE INDEX

mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor) XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

  • Pre-requisites:
  • Ethtool support in the base drivers for retrieving the speed and duplex of each slave.
  • A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

* Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave.

mode=6 (balance-alb) Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.