diff --git a/linux/nextcloud_server.md b/linux/nextcloud_server.md index 2cf0eaf..fb9c913 100644 --- a/linux/nextcloud_server.md +++ b/linux/nextcloud_server.md @@ -100,6 +100,64 @@ Così facendo, di default il traffico in ingresso è bloccato, a eccezione delle Per altre configurazioni di sicurezza: [Mettere in sicurezza un VPS](https://help.ovhcloud.com/csm/it-vps-security-tips?id=kb_article_view&sysparm_article=KB0047709) e anche [Setup fail2ban](https://docs.nextcloud.com/server/21/admin_manual/installation/harden_server.html?highlight=fail2ban#setup-fail2ban) +## fail2ban + +Disabilitare l'opzione `'auth.bruteforce.protection.enabled' => 'false',` nel file `/var/www/html/nextcloud/config/config.php` + +Quindi + +```bash +apt install fail2ban +``` + +Dopo aver installato il pacchetto, creare i file seguenti: + +```bash + > cat /etc/fail2ban/filter.d/nextcloud.local +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" + + > cat /etc/fail2ban/jail.d/nextcloud.local +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +#Number of retrys before to ban +maxretry = 3 +#time in seconds +bantime = 36000 +findtime = 36000 +#Log path, on Ubuntu usually is following +logpath = /var/www/nextcloud/data/nextcloud.log +``` + +Quindi abilitare e riavviare il servizio: + +```bash + > systemctl enable --now fail2ban + > systemctl restart fail2ban + + > systemctl status fail2ban.service +● fail2ban.service - Fail2Ban Service + Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled) + Active: active (running) since Sun 2023-10-22 17:44:02 UTC; 5min ago + Docs: man:fail2ban(1) + Main PID: 58185 (fail2ban-server) + Tasks: 7 (limit: 2295) + Memory: 14.2M + CPU: 339ms + CGroup: /system.slice/fail2ban.service + └─58185 /usr/bin/python3 /usr/bin/fail2ban-server -xf start + +ott 22 17:44:02 vps-971850be systemd[1]: Started fail2ban.service - Fail2Ban Service. +ott 22 17:44:02 vps-971850be fail2ban-server[58185]: 2023-10-22 17:44:02,748 fail2ban.configreader [58185]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' +ott 22 17:44:02 vps-971850be fail2ban-server[58185]: Server ready +``` + ## Installazione ### nginx @@ -174,10 +232,20 @@ $CONFIG = array ( 'version' => '27.1.2.1', 'overwrite.cli.url' => 'https://my.domain.com/', 'default_phone_region' => 'IT', - 'memcache.local' => '\\OC\\Memcache\\APCu', - # https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html 'trashbin_retention_obligation' => 'autoi, 2', # Il cestino viene svuotato in automatico ogni due giorni + # https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.locking' => '\\OC\\Memcache\\APCu', + 'filelocking.enabled' => true, + 'auth.bruteforce.protection.enabled' => false, + 'logtimezone' => 'Europe/Rome', + +[...] + + 'log_type' => 'file', + 'logfile' => '/var/log/nextcloud-error.log', + 'loglevel' => 2, [...] ``` @@ -454,3 +522,5 @@ Per la configurazione di Nextcloud sul cellulare Android, seguire [questa guida] - [https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html](https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html) - [https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html](https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html) - [https://serverok.in/nextcloud-apcu-not-available-for-local-cache](https://serverok.in/nextcloud-apcu-not-available-for-local-cache) +- [https://marsown.com/wordpress/fail2ban-protection-nextcloud/](https://marsown.com/wordpress/fail2ban-protection-nextcloud/) +- [https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24](https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24) diff --git a/linux/script/crontab b/linux/script/crontab index 837bb67..a08f232 100644 --- a/linux/script/crontab +++ b/linux/script/crontab @@ -8,3 +8,4 @@ #* * * * * user comando 0 9,15,20,22 * * * ~/scripts/rsync.sh +0 9,15,20,22 * * * ~/scripts/swaync.sh