Managing files in the Seafile personal cloud

Add Some Security to Your Server

When you buy a server from Digital Ocean or Linode, you get a bare minimal system. The first thing to do is ensure that it's fully updated. SSH into your server and update the system:

ssh root@SERVER_IP
sudo apt-get update
sudo apt-get dist-upgrade

Create a user for the system and add it to the sudoers file, so it has sudo powers and you can prevent other users from SSHing into the server as root user.

adduser swapnil
gpasswd -a swapnil sudo

For additional security, change the default port for ssh and block root login. Open the sshd configuration file using your preferred editor. Look for the port number and change it from default 22 to any higher port (just don't use any ports already used by system).

To block root SSH access, Look for the following directive and change it from yes to no:

PermitRootLogin no

Save and close the config file. Now restart ssh service:

service ssh restart

Don't log out of your server or close the terminal window.

Open another terminal window and ssh into your system using the newly created user and port, using:

ssh -pPORT_NUMBER USER_NAME@SERVER_IP

For example:

ssh -p1977 swapnil@102.22.123.22

Give the password for the user and log into your system.

If everything works fine, you have added some basic security to the server. To add another layer of security, I recommend using a key instead of a password to log into your system.

Set Up the MariaDB Database

The next step is to install the core components needed for Seafile. I'll start with the database. I will use the latest stable branch (10.x) of MariaDB. Because Ubuntu doesn't have the latest MariaDB packages, I will add official MariaDB repositories.

Visit the download page of MariaDB [4] to obtain updated instructions for choosing the right mirror for your distro.

# apt-get install software-properties-common
# apt-key adv --recv-keys --keyserver \
  hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db

Then, open the source.list file and add the main repo at the bottom:

deb http://mirror.jmu.edu/pub/mariadb/repo/10.0/ubuntu trusty main

Update the repos and install the maridb server (choose the 10.x branch):

apt-get update
apt-get install mariadb-server

During the installation, MariaDB will ask to create a root password for the database server. Once the database is installed, you will need to create some system tables. First, however, you should stop the MySQL daemon (MariaDB is the drop-in replacement for MySQL, so it uses the same commands used for MySQL server – don't be confused with the sight of the term MySQL).

Kill the MySQL daemon:

killall mysqld

The following command will initialize the MariaDB data directory and create the necessary system tables.

mysql_install_db

The preceding command also created some test tables and users, which should be removed for security purposes. Start the service with:

service mysql start

Enter the following command to launch a script that will perform some tasks to secure the database:

sudo mysql_secure_installation

The scripts asks a series of questions. Say no to the first question, because you don't need to change the root password, and say yes to the rest.

To add one more layer of security, you need to open the my.cnf file and add the line

local-infile=0

in the [mysqld] section, somewhere after the bind-address directive.

Set Up Nginx and Other Packages

If you want SSL support, you'll need to install ngix-full instead of nginx:

# apt-get install nginx-full
# apt-get install python python-setuptools python-imaging \
  python-mysqldb

Create a directory to store the certificate and the key:

# mkdir /etc/nginx/ssl

Then, you can generate the key and the certificate:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
   -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

You will have to provide some personal information on organization name, location, and web address to generate the SSL key and certificate. The certificate and the key will land in the /nginx/ssl directory.

Now create an nginx configuration file for this server inside the sites-available directory and populate the config file with the contents shown in Listing 1.

Listing 1

Nginx Configuration File

 

You have to make three changes to the file in Listing 1. First, replace your-domain.com with the name or IP address of your domain (two instances). Then, in the last section, location /media, replace SITE_DIRECTORY with the directory where you will download sea file packages. (Throughout this article, the root directory is sea and its path is /var/www/sea. Exchange these names with the names you chose on your server.)

Next, save and close this file and then create a symlink in the site-enabled directory:

# ln -s /etc/nginx/sites-available/sea /etc/nginx/sites-enabled/

Remove the default config file from site-enabled directory as shown in the following example:

# rm -r /etc/nginx/sites-enabled/default

Then, open the nginx.conf file un-comment the following lines:

server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;

After completing these steps, you can save and close the file.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • simpleDrive

    If you value data security and privacy, you might want to build your own cloud storage. SimpleDrive offers a workable alternative to this time-consuming project.

  • Comparing Cloud Providers

    Many companies now offer data storage in the cloud. We tested seven alternatives with a close look at security features.

  • Nginx

    The fast and practical Nginx web server is easy to configure and extend.

  • MediaGoblin Media Sharing

    The same way that "ease of use" usually equates to less flexibility, "convenience" is nearly always synonymous with less privacy, and YouTube nowadays is very, very convenient. If you just want to share a video, and not your personal data, or you want to avoid rude users from commenting on your kids' videos, MediaGoblin is what you need.

  • MediaGoblin

    MediaGoblin lets users share movies, audio files, and other documents off the beaten track of popular platforms. In this article, we show admins how to integrate the application into a local network and examine whether it is a good replacement for YouTube, Flickr, and SoundCloud.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News