DIY Cheap Cloud Storage
Recently I saw someone online posting a Slacktivism petition campaign about online privacy.
I told the person who posted the petition that I think if people want changes to happen, they should take action themselves, educate themselves about online security and risks, learn about encryption etc.
His response was that not everybody can do that.
I feel that is a cop out answer so I wanted to provide a DIY step by step guide on how to create a secured cloud environment for your data, as opposed to using Google Drive/Dropbox etc.
Cloud computing is booming, many businesses and individuals are moving to the ‘cloud’ whether it be for storage, applications or moving servers off premise.
With the recent security breach on Dropbox, on-going government surveillance, news of the governments data retention plans, I feel it is time for people to start moving away from these public cloud providers and keep your own data segregated.
If these providers are not being hacked for data, they are selling it to annoying marketers or allowing government departments access to your data.
Your right to privacy is not being protected sufficiently any more.
There are so many benefits of cloud computing and it is something you can do on your own with cheap cloud storage providers.
My goal with this article is to help somebody who is unfamiliar with Linux and Owncloud to get it up and running, but not just have it running but also provide a secure environment.
There are many guides or videos online about simply installing Owncloud, but I find majority of them lack depth for a beginner in Linux.
OwnCloud is a platform where you can sync your files, contacts, calendar and more, it has Desktop and Mobile software so you can always access your data.
There are other alternatives available, and Owncloud is not a perfect solution, there are some features missing like delta sync, but it is a great one and you do control it.
How do I create a personal cloud ?
Fortunately it is relatively easy to create your very own ‘Cloud’ on a private server, even if you are not technically literate I will provide the steps required to set up a Linux server, give basic security tips and install Owncloud.
There are also other services you can run with this Linux server, for example a Web Server, VPN, Mail server, DNS, the list goes on.
First thing you need to get a VPS Linux server, these are private virtualized servers, what this means is you don’t share YOUR server with anyone else, however the physical server is segregated to provide multiple VPS private servers to clients.
Nobody but yourself can access your server once it has been provisioned.
My suggestion is to use Backupsy, their storage solutions start at 250GB, I use them personally, as well as their sister company VPSDime for a high performance web server and I’ve been extremely happy overall with both services, Backupsy have a permanent offer of 40% off on all orders, sometimes they have great specials on as well.
Create your VPS
1. Select your plan and choose buy now
2. fill in host name with whatever you like, if you have a domain you can create a sub domain and use that.
3. Select a root password, and keep a note of this, make sure it is secure.
4. Location, select which location best suits you.
5. Operating System choice, PERSONALLY I use CentOS, most of my current machines are CentOS 6.6, but with new machines I am using CentOS 7 now, if your VPS provider has CentOS 7 go with that, other wise CentOS 6 is fine.
Why CentOS? it is supported for longer – 10 years, (CentOS 6 is supported until 2020, CentOS 7 is supported until 2024) it is based on Red Hat Enterprise Linux and most updates are available 24-72 hours after Red Hat gets them.
Ubuntu Server is also a great OS (this website is hosted by an Ubuntu server) but generally I don’t deploy it unless I want something that CentOS does not support.
All of my instructions will be CentOS 7 based, 6 is pretty similar, a few commands may differ though.
My VPS is ready, what’s next?
First thing we need to do is create private and public keys in Puttygen. This is simple, load the Puttygen executable and click generate, pass phrase is not necessary but you can add it if you like, then this generates a Private and Public Key.
Save both of these in a safe place.
You may be thinking “What are these for?”
Let me explain it in the best analogy I know, think of this as a lock and key system, the Public key is a Lock, you can place this lock on any system, and restrict the access to only the person who has the key, the key in this case is the PRIVATE key.
This Private key is VERY important, you should not give this to anyone, you should store it in a safe place and ensure you don’t lose it.
The public key you can give to whoever you like, if someone wants to give you access to their system, give them your public key.
3. Add your VPS, put in your IP address your provider gave you, Click next
5. Add your Private key here (we will add the public key into the server once we get in) click OK.
6. Now right click on your machine you have created and connect!
Configuring and securing your VPS
This topic has had many books written on it, and it is well beyond the scope of this article to go into great detail about Linux configuration and security, my goal is to provide you the details to secure your box enough to keep majority of attackers away.
Many attacks on VPS Linux boxes are simply a crime of opportunity, hackers are constantly scanning known IP ranges of VPS boxes looking for vulnerable boxes, if yours is in the ‘too difficult’ pile it will hopefully be left alone.
If you take your privacy and security seriously, I suggest you research this topic further.
1. Update system and Setup a new account
First off you want to run updates on your new system
Make sure yum updates each night, so you don’t have to worry.
yum -y install yum-cron
Check the status to make sure it is running
systemctl status yum-cron.service
If it is not active you can manually start it
systemctl start yum-cron.service
Lets create a new user
gpasswd -a yourname wheel
Replace yourname with whatever username you want to use.
What we have just done here is create a new user on the system, give them a password, and added them into the group “wheel” which will allow them to execute administrative commands without being logged in as root, simply by typing “sudo” in front of each command.
Now log out, change your credentials in Royal TS to your new username, and log back into the system with your new username.
You will notice your command prompt changed from # to $, this signifies that you are a regular user.
2. Setup Public Key authentication
You should of already added your Private Key to Royal TS, now we just need to give our server the Public Key
Create a new directory named .ssh
Use a text editor called Nano to add your public key, if you copy your public key, then right click in Nano it will paste, hit Control and X to exit, make sure you save
Modify the permissions so only the owner (you) can modify this file
chmod 600 authorized_keys
Go back to your home directory
Modify the .ssh directory so only you can modify this file.
chmod 700 .ssh
If you want to understand what these numbers mean have a read of the Wikipedia Chmod article
Now disconnect, go into Royal TS and properties of your machine, remove the password from the credentials section but leave your username, save the file.
Reconnect and it should let you know that you’ve connected by key, something like below.
Using username “nigelincognito”.
Authenticating with public key “rsa-key-20141111”
Once you have done this, you want to turn off SSH Authentication
sudo nano /etc/ssh/sshd_config
Once you are in the document, edit the following lines to show this
***NOTE PLEASE ENSURE YOU UNDERSTAND THE BELOW SECTION BEFORE CHANGING SSH PORTS, IT IS VERY EASY TO LOCK YOURSELF OUT OF YOUR SYSTEM***
Before we go into the Firewall section I also suggest you pick a port other than 22 for your SSH connections, you will receive a lot of wasted connections and brute force attempts on 22, I suggest selecting something above port 10000.
You will also need to change the port of your SSH port in the /etc/ssh/sshd_config.
But before doing so make sure you also have that port open in the Firewall script I mention below (go to the end of the script to see it), I have added port 12345 as an example, if you want to keep that as your SSH port my Firewall script will open it, you just need to comment out the line that says port 22 (use # at the beginning of the line to comment it out).
If you have edited sshd_config and run the IPTables script, you will need to restart ssh with the following command
systemctl restart sshd
Make sure you change Royal TS to connect to your new port you selected.
Please do not attempt this if you do not understand it.
CentOS 7 has changed the way the firewall works, I like it, however I prefer to disable it and run IPTables (the old Firewall system), simply because I have my own IPTables scripts that I use.
If you are using CentOS 6 you don’t need to worry about step 1, IPTables is already installed.
1. Setup IPTables
Ok so lets disable firewall-cmd and enable iptables with the following commands.
sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo systemctl status firewalld
sudo yum install -y iptables-services
sudo systemctl enable iptables
sudo systemctl start iptables
2. Firewall Rules
Now we want to add some rules to our Firewall, I have included a basic Firewall script that includes keeping open ports, 22 (ssh) (or a custom port instead of 22), 80(http), 443 (https). see the script here
I have also included a long list of IP’s that will block nearly anyone from China, Russia or Korea connecting to your machine.
Now obviously if you are from one of these countries you will not want this, the reason I have done this is 95% of hacking attempts on my machines on the internet originate from China.
Russia and Korea account for about 4% and other countries are a small percentage.
To give you some perspective on how bad this is, on Digital Ocean (this is one of the largest VPS providers and their IP ranges are well known) I recently spun up a machine for a work website, there was 5000-10,000 failed login attempts per hour from Chinese IP addresses before I changed the SSH port and turned off remote SSH logins.
If you want to add more countries, or customize this script, I used http://ip2location.com/free/visitor-blocker to select the countries, choose Linux IPTables and it will spit out a text file with the commands and IP addresses formatted, you can just copy into my script.
If you are using my configuration, copy it into your clipboard and do the following
Paste all the text into this file (might take a while) and then save the file.
Now run the following commands
chmod +x iptables.sh
This will execute all the IPTables commands, it will probably take 10 minutes or so to finish.
Once you are back at the command prompt you can view the rules to make sure IPTables did them
sudo iptables -L
There is 14000 lines of rules so if you don’t want to watch them all simply press Control C and it will stop.
Ok so now you have restricted your Linux machine so only your username can login with Public Key authentication, you have setup a Firewall restricting what is open on your machine.
There are a couple more things I like to install for security.
Fail2ban checks log files for suspicious behaviors and then bans any IP’s which may be malicious.
Installation is straight forward, and the configuration usually does not need much tweaking.
First install the EPEL repository
sudo yum install epel-release
This will now allow you to install fail2ban
sudo yum install fail2ban
Setup a fail2ban jail by copying the conf file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can see the configuration and make any changes you want in the jail.local file now.
sudo nano /etc/fail2ban/jail.local
Learn more about fail2ban here
Rootkit hunter is a program which will check your system for known rootkits, exploits and backdoors
To install rootkit hunter follow the directions below
sudo tar -zxvf rkhunter-1.4.2.tar.gz
sudo ./installer.sh --layout default --install
sudo /usr/local/bin/rkhunter --update
sudo /usr/local/bin/rkhunter --propupd
sudo rm -Rf /usr/local/src/rkhunter*
Rootkit hunter is now installed, here are some common commands below
To check the currently installed version
sudo /usr/local/bin/rkhunter --versioncheck
Run the updater
sudo /usr/local/bin/rkhunter --update
Start a manual scan, you will need to manually hit enter for each scan
sudo /usr/local/bin/rkhunter -c
To run the scan skipping these questions
sudo /usr/local/bin/rkhunter -c -sk
To scan the entire file system
sudo rkhunter --check
Further notes on security
The tips I have provided above are just the absolute minimum you should do to secure your machine, In my opinion this will fend off the majority of attackers who are just scanning/prodding for easy attacks.
A determined attacker always has the potential to break in, I will suggest some further reading and some other tools to help.
1) Passwords – I absolutely recommend you begin using LastPass, we have too many passwords to remember for us to keep a complex password for each and every site, Lastpass stores all your login credentials and can generate secure passwords for all new and existing passwords.
I suggest using this for all passwords, if your password is fido1 it will not take a brute force attack very long to break this.
However if your password is M7PcjaYDLXSLhtnt85Yx6e8op8PhvF it will take a very long time to crack that.
Lastpass is very secure, your account is encrypted on your end, meaning not even Lastpass support can help you if you lose forget your master password, another note please do not use a simple password for your master password, this is realistically the only password you will need to remember now, so choose something with 20+ characters that you will remember.
2) Logs – get in the habit of reading logs on your Linux VPS, Geek Stuff page on log files this page discusses most of the important log files to become familiar with.
3) Other security software outside the scope of this article, there are many other security packages to help harden your Linux box, going into depth on these packages is complex, so I suggest you do some further reading, some great security packages I recommend investigating are, Snort this is a Intrusion Prevention System, mod security which is a web application firewall, grsecurity kernel security.
There are more, which I may add over time.
Install the apache service
sudo yum -y install httpd
Enable the apache service to start with the system
sudo systemctl enable httpd.service
Install a Self Signed SSL Certificate
We need to make sure mod_ssl is installed for Apache
yum install mod_ssl
Create a directory to store your SSL certificate and Key in
sudo mkdir /etc/httpd/ssl
This command will create the self signed SSL Certificate and the private key for it, after you run this command you will receive the following prompt, the most important field is the “Common Name” if you have a domain you are using you would put the domain or sub domain, if you do not then you will put your IP address.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:QC Locality Name (eg, city) :Montreal Organization Name (eg, company) [Internet Widgits Pty Ltd]:DarvilleIT Organizational Unit Name (eg, section) :Owner Common Name (e.g. server FQDN or YOUR name) :example.com Email Address :email@example.com
Now edit the following file and add a Virtual Host entry at the bottom
CustomLog /var/www/html/logs/access_log common
Go to https://yourip and see if it works, it will give you a warning that the certificate is unknown, you can accept it.
Install Maria DB and setup a Database
Install the MariaDB server and client
sudo yum install mariadb-server mariadb
Enable MariaDB to start
sudo systemctl start mariadb
Run this command to finish the installation of MariaDB, the password for root will be blank, and you can say yes to all the options
Install the required PHP components
sudo yum install php php-mysql php-fpm php-gd
Run the following commands below to set up a Database, replace the ownclouddb, owncloud and randompassword with your own choices, make them something obscure and keep note.
mysql -u root -p
CREATE DATABASE ownclouddb;
CREATE USER owncloud@localhost;
SET PASSWORD FOR owncloud@localhost= PASSWORD("randompassword");
GRANT ALL PRIVILEGES ON ownclouddb.* TO owncloud@localhost IDENTIFIED BY 'randompassword';
The final thing to do is install Owncloud, instructions for installation are here
Once this has been installed go to https://yourip/owncloud and you finish your set up here, select a username and password (tip do not use admin, use something obscure)
Select MySQL/MariaDB as the Database choice, and enter the database and user and password you created.
This will finish creating Owncloud, now you can login via https://yourip/owncloud
Once you login the home screen is very intuitive, the first time you logon it gives you the link to download a desktop/mobile client to start syncing your files locally.
I hope this helped out some people, If you would like to follow me on twitter I am on @darvilleit I try to write interesting helpful technology articles regularly.
Also would like to thank my friends Ryan and Adam for reviewing the security section for me.