# sysrc sshd_enable="YES"
# service sshd start
# adduser
Usrname: New user on whose behalf we will perform all manipulations in the terminal. Enter, for example, superstepa .
Full name: The full name of this user. Enter, for example, Dyadya Stepa Policeman .
Uid (Leave empty for default): Well, if asked to leave empty, then do so. Feel free to press Enter .
Login group [superstepa]: We want our user to have all the rights of the local administrator - superuser, and therefore include it in the wheel group.
Login group is wheel. Invite superstepa into other groups? []: Press Enter .
Login class [default]: Click Enter .
Shell (sh csh tcsh git-shell nologin) [sh]: Leave the default sh. Just hit Enter .
Home directory [/ home / superstepa]: And again Enter .
Home directory permissions (Leave empty for default): Enter again.
Use password-based athentications? [yes]: We want this user to authenticate with a password? Of course yes! Hit Enter .
Use an empty password? (yes / no) [no]: We are for security and do not want a new user with superuser rights to have an empty password. So again press Enter .
Use a random password? (yes / no) [no]: I'm just sure that the password we invented is the most reliable. And we want to use it. And therefore Enter .
Enter password: Yeah, and here he is. Enter your password.
Enter password again: Enter it again.
Lock out the account after creation? [no]: No, you do not need to block this account. Just Enter .
OK? (yes / no): Whether we check everything is correct and, if so, then yes .
Add another user? (yes / no): We don’t need other users. No.
# pkg upgrade
# pkg install mariadb100-server php56-extensions php56-bz2 php56-curl php56-exif php56-fileinfo php56-gd php56-mbstring php56-mcrypt php56-pdo_mysql php56-openssl php56-zip php56-zlib pecl-APCu pecl-intl
# portsnap fetch extract // , # cd /usr/ports/www/nginx && make config // web- nginx
IPV6
HTTP
HTTP_CACHE
HTTP_DAV
HTTP_FLV
HTTP_GZIP_STATIC
HTTP_PERL
HTTP_REWRITE
HTTP_SSL
HTTP_STATUS
Www
# make install
# cd /usr/local/etc/nginx/
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org // # openssl rsa -in server.key.org -out server.key // # openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt //
# sysrc nginx_enable="YES" php_fpm_enable="YES" mysql_enable="YES"
# pkg install nano
Shared object "libiconv.so.2" not found, required "libgmoudle-2.0.so.0
# pkg delete -f gettext # pkg upgrade
# cp /usr/local/etc/nginx/nginx.conf /usr/local/etc/nginx/nginx.old
# nano /usr/local/etc/nginx/nginx.conf
worker_processes 2; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' access_log logs/access.log main; sendfile off; keepalive_timeout 65; gzip off; ssl_certificate /usr/local/etc/nginx/server.crt; // https ssl_certificate_key /usr/local/etc/nginx/server.key; // https server { listen 443 ssl; // https root /usr/local/www; location = /robots.txt { allow all; access_log off; log_not_found off; } location = /favicon.ico { access_log off; log_not_found off; } location ^~ /owncloud { index index.php; try_files $uri $uri/ /owncloud/index.php$is_args$args; client_max_body_size 512M; // location ~ ^/owncloud/(?:\.|data|config|db_structure\.xml|README) { deny all; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; } location ~* \.(?:jpg|gif|ico|png|css|js|svg)$ { expires 30d; add_header Cache-Control public; } } } }
# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini # nano /usr/local/etc/php.ini
always_populate_raw_post_data = -1 // ; date.timezone = Europe/Moscow // cgi.fix_pathinfo=0 upload_max_filesize = 512M // post_max_size = 512M //
# cp /usr/local/etc/php-fpm.conf /usr/local/etc/php-fpm.old # nano /usr/local/etc/php-fpm.conf
listen = /var/run/php-fpm.sock listen.owner = www // ; listen.group = www env[PATH] = /usr/local/bin:/usr/bin:/bin
# cp /var/db/mysql/my.cnf /var/db/mysql/my.old # nano /var/db/mysql/my.cnf
[server] skip-networking skip-name-resolve innodb_flush_method = O_DIRECT skip-innodb_doublewrite innodb_flush_log_at_trx_commit = 2 innodb_file_per_table expire_logs_days = 1
# service nginx start && service php-fpm start && service mysql-server start
# mysql_secure_installation
# mysql -u root -p CREATE DATABASE owncloud; GRANT ALL PRIVILEGES ON owncloud.* TO 'ownclouduserdb' IDENTIFIED BY 'passwordownclouddb'; FLUSH PRIVILEGES; quit;
# fetch "http://download.owncloud.org/community/owncloud-8.0.2.tar.bz2"
# tar jxf owncloud-*.tar.bz2 -C /usr/local/www
# rm owncloud-*.tar.bz2
# chown -R www:www /usr/local/www/owncloud /mnt/files
# setenv EDITOR nano // nano # crontab -u www -e
*/15 * * * * /usr/local/bin/php -f /usr/local/www/owncloud/cron.php
crontab: installing new crontab
Username : The name of our cloud administrator. For example, Stepanadministratovich .
Password : Administrator password.
The data directory : I prefer / mnt / files / . In this directory, I then mount my FreeNAS storage Volumes. If you need to explain how, then write in the comments.
Database User : We created it earlier in step 2.9 of our ownclouduserdb .
Database password : Also assigned earlier in step 2.9 passwordownclouddb .
Database name : All the same step 2.9 owncloud .
# ln -s /usr/local/www/owncloud/robots.txt /usr/local/www
# cd /usr/ports/security/py-fail2ban # make install clean
touch /var/log/owncloud-acces.log
# cd /var/log/ # chown www:www owncloud-acces.log
# nano /usr/local/www/owncloud/config/config.php
'logtimezone' => 'Europe/Moscow', // 'logfile' => '/var/log/owncloud-acces.log', 'loglevel' => '2', 'log_authfailip' => true,
# nano /var/log/owncloud-acces.log
{"ReqId": "es09787k250rv52fu0iu44124z494687", "remoteAddr": "192.168.1.1", "app": "core", "message": "Login failed: 'Admin' (Remote IP: '192.168.1.10', X- Forwarded-For: '') "," level ": 2," time ":" 2015-04-04T18: 59: 50 + 03: 00 "}
nano /usr/local/etc/fail2ban/filter.d/owncloud.conf
[Definition] failregex={"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"} // ownCloud<= 7.0.1 {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"} // ownCloud=7.0.2-7.0.5 {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"} // ownCloud>=8
# cp /usr/local/etc/fail2ban/jail.conf /usr/local/etc/fail2ban/jail.old # nano /usr/local/etc/fail2ban/jail.conf
[owncloud] enabled = true filter = owncloud port = https logpath = /var/log/owncloud-acces.log // ownCloud, 4.2 ignoreip = 192.168.1.59 // ip- maxretry = 2 // bantime = 86400 // findtime = 600 // - action = bsd-ipfw // pushover-notify // , Tab.
# fail2ban-regex /var/log/owncloud-acces.log /usr/local/etc/fail2ban/filter.d/owncloud.conf
Lines: 2 lines, 0 ignored, 2 matches, 0 missed [processed in 0.0 sec]
# cp /usr/local/etc/fail2ban/action.d/bsd-ipfw.conf /usr/local/etc/fail2ban/action.d/bsd-ipfw.local # nano /usr/local/etc/fail2ban/action.d/bsd-ipfw.conf
actionban = ipfw table \ <table \> add \ <ip \>
# ipfw add 1 deny all from table\(1\) to me
ipfw list // ipfw delete 13 // 13 ipfw add 14 <> // 14 ipfw table 1 add 192.168.1.5 // ipfw table 1 add 192.168.1.0/24 // ipfw table 1 list // ipfw add deny ip from table(10) to me // 50 ipfw table 1 delete 192.168.1.5 // ipfw table 1 flush //
#touch /usr/local/etc/fail2ban/action.d/pushover-notify.conf
# sysrc fail2ban_enable="YES"
# /usr/local/etc/rc.d/fail2ban start
fail2ban-client status // fail2ban-client status owncloud // , owncloud - fail2ban-client set owncloud unbanip MYIP // ip- , MYIP - ip-
# nano /usr/local/etc/fail2ban/action.d/pushover-notify.conf
[Definition] actionstart= actionstop= actioncheck= actionban = url -k https://api.pushover.net/1/messages.json -F token=<token> -F user=<user> -F title="ownCloud Alarm" -F message="<ip> is banned after <failures> attemts against <name>" actionunban = url -k https://api.pushover.net/1/messages.json -F token=<token> -F user=<user> -F title="ownCloud Alarm" -F message="<ip> is unbanned" [Init] name = default token = [API Token/key (application key)] user = [User key]
# /usr/local/etc/rc.d/fail2ban restart
Source: https://habr.com/ru/post/255019/
All Articles