# Basic questions regarding NextCloud installation [ANSWERED]

## VCoS

I'm looking to set up 'www-apps/nextcloud'. I've read the instructions:Nextcloud 11 Server Administration

Gentoo Wiki "Owncloud"

Gentoo Forums Documentation Tips and Tricks "Nextcloud and Lighttpd"

I've never set up an Internet facing server before and have some basic questions:

I'm looking at:

```
webapp-config -h myDomain.com -d cloud -C owncloud 5.0.14
```

from the Wiki article. Specifically, I'm not sure what to do about "myDomain.com". For access across the Internet, I usually set up port forwarding and just use the current IP address assigned by my ISP instead of a domain name. This is because I'm almost always the only person needing access to my internal network. Do I actually need to purchase a domain name and {optionally set up Dynamic DNS} or can I use an IPV4 address here? The personal cloud server I'm setting up will most likely be limited to immediate family so explicitly using an IP address is not a hardship.

I get that the instructions assume the possibility of multiple domain names going to the same IP address. But no one seems to allow for the possibilty of direct IP address access.

I would like to use "links" from within an 'ssh' session for running the Nextcloud installation wizard. Does anyone know if this is possible? Otherwise I'll need to run the installation process using 'occ'.

Comments, thoughts and suggestions are welcome!Last edited by VCoS on Wed Feb 22, 2017 6:20 pm; edited 1 time in total

----------

## Fitzcarraldo

You could obtain a free dynamic hostname (e.g. https://vcos.ddns.net) from https://www.noip.com/remote-access for example, and configure your router to use DDNS. The only downside to using a free DDNS service is that you will receive a monthly e-mail from them asking you to click on a link to renew your free address for another month. However, if you opt to pay for their enhanced package then you won't get the monthly e-mail.

If you have a home router that supports NAT loopback then you will be able to enter the same URL in the Web browsers of machines on your home network too. If your home router does not support NAT loopback then you will have to enter the IP address on home machines (which is not a big deal for non-technical family members if you create a bookmark for them in their browsers).

A word of warning, though: As soon as you open your ports to the Internet, your server will be probed (and possibly attacked) from anywhere in the World. The large majority of probes and attacks on my server come from China, but I see plenty from many other countries. You will need to implement robust firewall rules on your server, and I strongly recommend you install intrusion detection and prevention software (one such example is SNORT, with a daily crontab job to run PulledPork to download new SNORT rules). I'm not exaggerating; as soon as you open your ports the probing will be relentless. A decent firewall will protect against DoS attacks by using rate-limiting for example, and it will also allow you to limit access from source ip addresses. Intrusion Detection & Prevention software uses signatures to protect against well-known protocol attacks.

----------

## saboya

For DDNS there's also Duck DNS: https://www.duckdns.org/

----------

## VCoS

 *Fitzcarraldo wrote:*   

> You could obtain a free dynamic hostname (e.g. https://vcos.ddns.net) from https://www.noip.com/remote-access for example, and configure your router to use DDNS. The only downside to using a free DDNS service is that you will receive a monthly e-mail from them asking you to click on a link to renew your free address for another month. However, if you opt to pay for their enhanced package then you won't get the monthly e-mail.

 

Good to know!

 *Fitzcarraldo wrote:*   

> If you have a home router that supports NAT loopback then you will be able to enter the same URL in the Web browsers of machines on your home network too. If your home router does not support NAT loopback then you will have to enter the IP address on home machines (which is not a big deal for non-technical family members if you create a bookmark for them in their browsers).

 

I used to run a re-purposed Pentium PC as a firewall router so I'm familiar with the concept. Now-a-days, I have Frontier {formerly Verizon FIOS} so I'm currently required to use their router. I'm pretty sure it supports NAT loopback but I haven't checked yet. Even if it doesn't, as you noted, it's not really a hardship.  :Wink: 

 *Fitzcarraldo wrote:*   

> A word of warning, though: As soon as you open your ports to the Internet, your server will be probed (and possibly attacked) from anywhere in the World. The large majority of probes and attacks on my server come from China, but I see plenty from many other countries. You will need to implement robust firewall rules on your server, and I strongly recommend you install intrusion detection and prevention software (one such example is SNORT, with a daily crontab job to run PulledPork to download new SNORT rules). I'm not exaggerating; as soon as you open your ports the probing will be relentless. A decent firewall will protect against DoS attacks by using rate-limiting for example, and it will also allow you to limit access from source ip addresses. Intrusion Detection & Prevention software uses signatures to protect against well-known protocol attacks.

 

Yeah. Definitely true. And it's always good to be reminded of these things. In that spirit:

Currently, I use a non-standard, non-pingable port for ssh only access with no root logon permitted. I route my rsync jobs through ssh. I log all access attempts and I've set up a cron job for periodic summary emails. So far, that's been sufficient.

However, I completely agree that since I'm going to open up my own personal cloud server, then intrusion detection is a must. Thank you very much for the reminder as I hadn't given any thought to that at all.

 *saboya wrote:*   

> For DDNS there's also Duck DNS: https://www.duckdns.org/

 

Thanks!

----------

## roki942

 *VCoS wrote:*   

> Currently, I use a non-standard, non-pingable port for ssh only access with no root logon permitted. 

 

Ok I admit to being network/googled challenged along with being a noob in this area but I could find nada with a make a port unpingable search.

Would someone kindly post a link to where I can learn how it is done?

Thank you.

----------

## dataking

 *roki942 wrote:*   

>  *VCoS wrote:*   Currently, I use a non-standard, non-pingable port for ssh only access with no root logon permitted.  
> 
> Ok I admit to being network/googled challenged along with being a noob in this area but I could find nada with a make a port unpingable search.
> 
> Would someone kindly post a link to where I can learn how it is done?
> ...

 "Unpingable" is likely a misnomer here.

Strictly speaking, disabling ICMP will make a device "unpingable".  However, as you may know, any running services, like SSH in this case, will open ports to the network, or possibly the internet, which can then be detected by other means.

There is a technique that you may be interested in researching called "port-knocking", in which a specific series of packets sent to the target will cause the port to open and the service to become available.  To people/devices that don't know the correct sequence, the port/service will appear to be closed, or "unpingable" one might say.  I've never actually used this technology, so that's about the extent of my knowledge on the subject.  lol YYMV

----------

## VCoS

 *roki942 wrote:*   

>  *VCoS wrote:*   Currently, I use a non-standard, non-pingable port for ssh only access with no root logon permitted.  
> 
> Ok I admit to being network/googled challenged along with being a noob in this area but I could find nada with a make a port unpingable search.
> 
> Would someone kindly post a link to where I can learn how it is done?
> ...

 

As dataking pointed out, "unpingable" is something of a misnomer.

Turning off ICMP is what I was actually referring to. Nearly all of the 'attacks' I've seen are run by automated tools. Generally speaking, all the script kiddie {read: automated} tools rely on basics like ICMP to find open ports.

Unless you are or expect to be specifically targeted by a bad actor for an explicit reason, specialized techniques are not really worth the time and effort {and money} to worry about. Yes, I realize everyone has a different threshold of potential pain. On the other hand, targets like residential devices and networks are usually for the purposes of acquiring DDoS botnets and generally stupid attacks. Turning off ICMP (unpingable) helps protect a port from casual drive-by mischief. It's not going to protect against specialized techniques.

We normally configure all internal devices on our internal networks with default {read:ON} ICMP behavior. After all, normal network administration needs this.

We normally configure all Internet facing port forwarding ports at the firewall with ICMP OFF. We turn ICMP on for these at need when doing diagnostics/testing. It really does make a very significant difference with how many malicious probes/logon attempts get logged.

For port forwarding ports, we also pick random port numbers. This helps because most of the automated scripts don't bother with full range port scans. If you're a bad actor looking to acquire devices for your next great DDoS attack, you're almost always looking for common, unprotected (easy to find, easy to attack) devices with the least amount of effort possible. Random ports that don't respond to standard 'pings' are not on the attack list.

I didn't mean to confuse anyone with my casual terminology.  :Wink: 

Note that SNORT does detect these specialized techniques {many of them involve packet fragments for example} so if you do have explicit reasons for being concerned, you do have tools available to protect your networks.

Since I'll definitely be setting up Nextcloud, I will also be setting up SNORT on our network. Making a server available to the Internet is far beyond just doing ssh admin and rsync backups. In fact, I'm giving serious consideration to setting up all the port fowarding ports inline with SNORT. Setting up SNORT is now at the top of my list. While I think many people get too hung up on all possible/conceptual/potential attacks, once I decide on a level of security, I don't believe in 'security' as an afterthought. So Nextcloud will have to wait for a bit. 

Oh well. And I thought this project was going to be quick and easy. Never believe marketspeak.

----------

## roki942

dataking and VCoS, thank you very much for your replies which both got me to understand it and given me an entry point into the area.

As I just upgraded my old WRT54G to a WRT3200ACM I have much to learn and many new options to explore.

----------

