D A R K
M A T T E R

Last modified: Unknown

Starting & Disclaimer

The target audience for this document are more sophisticated admins with additional needs and setup scenarios. Ubuntu 20.04 default only provides PHP 7.4. PHP 8.0 is not currently supported by the ownCloud server. The commands and links provided in this description should give you proper hints but are without any responsibility. We will install ownCloud on latest version of Ubuntu 20.04 Server. If you’re installing Ubuntu Server from scratch then choose username ownbox and server name ownserver. Why? because it looks good on the network and while using the server.

Goals

Important Consideration

Note: If you don't have any extra display for installation, check out Boot a USB from VB (VirtualBox)

  1. Physical Threat
    • ownCloud encryption app
    • LVM for full-disk encryption (depends on you)
  2. Online Threat
    • Linux (server) machine username and password
    • Admin username and password of ownCloud (web interface)
    • Protect brute force on login through Brute-Force Protection app
    • Protect SSH from brute force via fail2ban (optional, if you’re not using SSH)
    • MySQL password of root user (Generally, not consider as important because it’s like middle wall between Linux and ownCloud)

Upgrading Ubuntu 20.04

sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y
sudo apt install update-manager-core -y

You need to run this commands directly on server before you take ssh.

openssh

Note: Be careful, user input needed.

fail2ban will ban IP for one day if the attacker brute force (login more than 3 times) your SSH service. And also disable root user access by SSH for everyone.

sudo apt install openssh-server fail2ban -y
sudo sh -c "echo 'DenyUsers root' >> /etc/ssh/sshd_config"
sudo systemctl stop fail2ban.service
sudo systemctl enable --now ssh.service

After this commands you can take ssh of the server from your machine.

ssh USER@IP

Run command on Terminal or Command Prompt, type yes and enter your user password of server

sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
ignoreip = 127.0.0.1

Press CTRL+O, Enter, CTRL+X to write the changes to jail.local

sudo systemctl restart ssh.service fail2ban.service
sudo fail2ban-client status sshd

Check status of sshd (ssh) service

sudo fail2ban-client set sshd unbanip <IP>

Use when you want to unban any IP which is blocked by fail2ban.

PHP 7.4 & Common Prerequisites

dpkg -l | grep php | awk '{print $2}' | tr "\n" " "

Check whether you have PHP installed or not. Not than it’s good to go.

sudo apt install php-fpm php-cgi php php-mysql php-mbstring php-intl php-redis php-imagick php-igbinary php-gmp php-bcmath php-curl php-gd php-zip php-imap php-ldap php-bz2 php-ssh2 php-phpseclib php-dev libsmbclient-dev php-pear -y

Install PHP 7.4 and necessary extensions

sudo apt install smbclient redis-server unzip openssl -y

Install some common prerequisites

Upgrade Pear to the latest version

pear version
sudo mkdir -p /tmp/pear/cache
sudo pear upgrade --force --alldeps http://pear.php.net/get/PEAR-1.10.12

Ignore any Notice or warnings

sudo pear clear-cache && sudo pear update-channels && sudo pear upgrade --force && sudo pear upgrade-all

Ignore any Notice or warnings

sudo rm -rvf /tmp/pear/cache
pear version
sudo update-alternatives --set php /usr/bin/php7.4 && sudo update-alternatives --set phar /usr/bin/phar7.4 && sudo update-alternatives --set phar.phar /usr/bin/phar.phar7.4 && sudo update-alternatives --set phpize /usr/bin/phpize7.4 && sudo update-alternatives --set php-config /usr/bin/php-config7.4

Multiple Concurrent PHP Versions

Apache Web Server

sudo apt install libapache2-mod-php apache2 -y

The following command installs the Apache Web Server.

MYSQL/MariaDB

Note: Be careful, user input needed.

MariaDB is the ownCloud recommended database. It may be used with either ownCloud Server or ownCloud Enterprise editions.

sudo apt install mariadb-server -y
sudo mysql_secure_installation
  1. Press Enter to login as root
  2. Type Y and press Enter to set a root password, type the password twice to confirm
  3. Type Y and press Enter to remove anonymous users
  4. Type Y and press Enter to disallow root login remotely
  5. Type Y and press Enter to remove the test database
  6. Type Y and press Enter to reload privilege tables
sudo mysql -u root -p

Run the following command to login into MySQL with the root password set earlier.

Install an ownCloud database

Note: Be careful, user input needed.

Warning: Directly using root user as ownCloud database admin

CREATE DATABASE owncloud_db;
GRANT ALL ON owncloud_db.* to 'root'@'localhost' IDENTIFIED BY 'rootpass';

You can give same password as you set earlier for root.

FLUSH PRIVILEGES;
EXIT;

Download & Extract ownCloud

sudo wget https://download.owncloud.org/community/owncloud-latest.tar.bz2 && sudo mkdir /var/www/owncloud && sudo tar -xvf owncloud-latest.tar.bz2 --directory /var/www
sudo chown -R www-data:www-data /var/www/owncloud

Set the owner of the new owncloud directory to www-data

ownlcoud.conf File

sudo nano /etc/apache2/sites-available/owncloud.conf
Alias /owncloud "/var/www/owncloud/"
<Directory /var/www/owncloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/owncloud
SetEnv HTTP_HOME /var/www/owncloud
</Directory>

Press CTRL+O, Enter, CTRL+X to write the changes to owncloud.conf

Enable the site & Restart Apache

sudo a2ensite owncloud && sudo a2enmod rewrite headers env mime unique_id dav
sudo systemctl restart apache2

Enable SSL/HTTPS

Note: Be careful, user input needed.

sudo a2enmod ssl && sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem

Leave everything empty by pressing enter and it will create certificate that is valid for 3650 days (10 years).

sudo nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName IP:443
        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </VirtualHost>
</IfModule>

Add two lines but replace IP to your server IP Address in first line.

sudo a2ensite default-ssl
sudo systemctl restart apache2.service

Disable Transparent Huge Pages (THP)

Transparent Huge Pages should be disabled when using databases. This is applicable when using Redis, as well as MariaDB. For more information read: Why THP (Transparent Huge Pages) are not recommended for Databases.

sudo nano /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/enabled' ExecStart=/bin/sh -c '/bin/echo never > /sys/kernel/mm/transparent_hugepage/defrag'
[Install]
WantedBy=basic.target

Press CTRL+O, Enter, CTRL+X to write the changes to disable-thp.service

sudo systemctl daemon-reload && sudo systemctl enable disable-thp && sudo service disable-thp start

Setup ownCloud site

Note: Be careful, user input needed.

  1. Open a web browser and navigate to https://IP/owncloud
  2. Create new admin account for ownCloud web interface
  3. MySQL/MariaDB credentials
    • Database user: root
    • Database password: rootpass
    • Database name: owncloud_db
    • Database host: localhost
  4. Click Finish Setup and log in with your credentials of ownCloud web interface

Memory Caching

sudo apt install php-apcu redis-server php-redis -y && sudo systemctl restart apache2.service
sudo nano /var/www/owncloud/config/config.php
'memcache.distributed' => '\OC\Memcache\Redis',
'filelocking.enabled' => true,
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\APCu',
'redis' => [
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0
],

Paste this lines before instanceid in the first array of $CONFIG variable and Press CTRL+O, Enter, CTRL+X to write the changes to config.php

sudo sed -i '/^memory_limit =/s/=.*/= 512M/' /etc/php/7.4/apache2/php.ini

Change size of memory limit

sudo usermod -a -G redis www-data && sudo systemctl restart apache2.service
sudo sh -c 'printf "port 0\nunixsocket /var/run/redis/redis-server.sock\nunixsocketperm 770\n" >> /etc/redis/redis.conf' && sudo reboot

It will reboot your server.

Make your task easy

Create a script that can manage your Server IP at the starting, so that you can access it without manually changing configuration files for Server IP.

sudo nano /root/refresh-apache
#!/bin/sh
if [ -z $1 ]
then
IP=$(hostname -I | tr -d ' ')
else
IP=$1
fi
URL="http:\/\/${IP}\/owncloud"
sudo sed -i "s/\(0 => '\).*$/\1${IP}',/" /var/www/owncloud/config/config.php;
sudo sed -i "s/\('overwrite\.cli\.url' => \).*$/\1'${URL}',/" /var/www/owncloud/config/config.php;
sudo sed -i "s/\(ServerName \).*$/\1${IP}:443/" /etc/apache2/sites-available/default-ssl.conf;
sudo systemctl restart apache2.service

Press CTRL+O, Enter, CTRL+X to write the changes to refresh-apache

sudo chmod 700 /root/refresh-apache
sudo nano /etc/systemd/system/refresh-apache.service
[Unit]
Description=Refresh apache
[Service]
Type=oneshot
ExecStart=/bin/sh /root/refresh-apache
[Install]
WantedBy=multi-user.target

Press CTRL+O, Enter, CTRL+X to write the changes to refresh-apache.service

sudo systemctl enable refresh-apache.service && sudo systemctl start refresh-apache.service

Cron Jobs

sudo -u www-data /usr/bin/php /var/www/owncloud/occ background:cron && sudo systemctl restart apache2.service
sudo crontab -u www-data -e

Press 1 to open nano text editor

*/15 * * * * /usr/bin/php -f /var/www/owncloud/occ system:cron

Press CTRL+O, Enter, CTRL+X to write the changes

Backup your ownCloud

Note: Be careful, user input needed.

sudo nano /root/backup-data
#!/bin/sh
PASS=$1
sudo rm -rvf /oc-backupdir.tar.gz &> /dev/null
sudo sh -c "mysqldump --single-transaction -h localhost -u root -p${PASS} owncloud_db > /var/www/owncloud/owncloud-dbbackup_$(date +'%Y-%m-%d').bak"
sudo tar -czvf /oc-backupdir.tar.gz --directory /var/www/owncloud config data apps-external owncloud-dbbackup_$(date +"%Y-%m-%d").bak
sudo rm -rvf /var/www/owncloud/owncloud-dbbackup_$(date +"%Y-%m-%d").bak

Press CTRL+O, Enter, CTRL+X to write the changes to backup-data

sudo chmod 700 /root/backup-data
sudo crontab -u root -e

Press 1 to open nano text editor

*/60 * * * * /root/backup-data owncloud_db PASSWORD

Paste this line at the end of the file so that it can backup your data, config, apps-external and database every 60 minutes to /oc-backupdir.tar.gz.. And please replace the PASSWORD with your root user password of your MySQL/MariaDB. Press CTRL+O, Enter, CTRL+X to write the changes to backup-data

sudo du -sh /oc-backupdir.tar.gz

Check your backup size.

Restore your ownCloud

Note: Be careful, user input needed.

  1. Follow all the steps till Setup ownCloud site (Don’t follow it)
  2. sudo nano /root/restore-data
  3. #!/bin/sh
    TAR=$1
    PASS=$2
    sudo mkdir /tmp/oc-backupdir
    sudo tar -xzvf ${TAR} --directory /tmp/oc-backupdir/
    sudo mv /tmp/oc-backupdir/owncloud-dbbackup_* /tmp/oc-backupdir/owncloud-dbbackup sudo mysql -h localhost -u root -p${PASS} owncloud_db < /tmp/oc-backupdir/owncloud-dbbackup
    sudo mysql -u root -p${PASS} owncloud_db -e "Delete from oc_filecache where storage IN(SELECT numeric_id FROM oc_storages);"
    sudo cp -rvf /tmp/oc-backupdir/config /tmp/oc-backupdir/data /tmp/oc-backupdir/apps-external /var/www/owncloud/
    sudo rm -rvf /tmp/oc-backupdir
    sudo sed -i "s/\('dbuser' => \).*$/\1'root',/" /var/www/owncloud/config/config.php sudo
    sed -i "s/\('dbpassword' => \).*$/\1'${PASS}',/" /var/www/owncloud/config/config.php
    sudo chown -R www-data:www-data /var/www/owncloud
  4. Press CTRL+O, Enter, CTRL+X to write the changes to restore-data
  5. sudo chmod 700 /root/restore-data
  6. sudo /root/restore-data <backup.tar.gz file path> <password for root user of database>
  7. Follow all the steps of Memory Caching, Make your task easy & Cron Jobs
  8. sudo -u www-data /usr/bin/php /var/www/owncloud/occ files:scan --all
  9. Verify all your files and you should not get any errors.
  10. Follow all the steps of Backup your ownCloud

Encryption

Encryption: The encryption application does not protect your data if your ownCloud server is compromised, and it does not prevent ownCloud administrators from reading users’ files. This would require client-side encryption, which this application does not provide. If your ownCloud server is not connected to any external storage services, it is better to use other encryption tools, such as file-level or whole-disk encryption. Read More

Restoring Encrypted files: This is not officially supported. ownCloud officially supports either restoring the full backup or restoring nothing — not restoring individual parts of it. Read More

Check Which Files Are Never Encrypted (Most Important)

  1. Go to Settings > Settings
  2. Click on Show disabled apps from top left
  3. Enable the Default encryption module
  4. Go to Settings > Encryption
  5. Check the Enable server-side encryption box
  6. Click on Enable encryption
  7. Select the Master Key option inside Default encryption module section
  8. Click on Permanently select this mode
  9. Now, to implement encryption log in again.
  10. Run the following command to encrypt all files (including old data)
  11. sudo -u www-data /usr/bin/php /var/www/owncloud/occ encryption:encrypt-all --yes

Post-Installation Steps

sudo nano /root/instance.sh

Copy script code of instance.sh from here

sudo chmod u+x /root/instance.sh
sudo nano /root/owncloud_prep.sh

Copy script code of owncloud_prep.sh from here

sudo chmod u+x /root/owncloud_prep.sh
sudo /root/instance.sh

Do you want to secure your .htaccess files post installing/upgrade (y/N)? y

Joplin with ownCloud

  1. Open the ownCloud web interface
  2. Login as admin user (depends on you) and create a folder named Joplin
  3. Go to Settings (from top right) > Security > App passwords / tokens
  4. Enter Joplin as App name
  5. Click on Create new app passcode
  6. Copy your Username and Password / Token
  7. Click on Done
  8. Open Joplin app
  9. Go to Tools > Options > Synchronization
  10. Select WebDAV under Synchronization target
  11. Put the WebDAV URL (https://IP/owncloud/remote.php/webdav/Joplin)
  12. Enter admin as WebDAV username and your Password / Token as WebDAV password
  13. Expand the Show Advanced Settings option
  14. Check the Ignore TLS certificate errors box
  15. Now to sync your data with ownCloud, select one of these options Re-upload local data to sync target or Delete local data and re-download from sync target according to your condition.

Necessary Security Apps

Necessary Multimedia Apps

Necessary Productivity Apps

Necessary Tools Apps

Resources