# Additional Steps

# Secure the server

To make the server more secure we will

1\. change the default ssh port and

2\. we change from password authentication to key files.

1\.

The default ssh port is 22. We change this to a random port: here we take the port 4200.

\- connect to your server using PuTTY

[![putty-server-login.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/bVHy6HSg4mOYTNHe-putty-server-login.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/bVHy6HSg4mOYTNHe-putty-server-login.PNG)

\- type in:

```shell
sudo nano /etc/ssh/sshd_config
```

\- search for

\#Port 22  
\#AddressFamily any

\- change it to

Port 4200  
\#AddressFamily any

here you can choose any port you like and is not yet used by another program

\- save and exit (STRG+O ; STRG+X)

\- retart the sshd deamon

-type in

```shell
sudo systemctl restart sshd
```

2\.

In the next step we will create a keyfile that include a long an encrypted password that we will use for authentication in stead of a normal passphrase.

Here i will show the way with a Windows PC and the program Putty. You can get it here:

[https://www.ssh.com/ssh/putty/download](https://www.ssh.com/ssh/putty/download "Here you can download Putty")

After downloading and installing Putty

\- start PuTTYgen

[![Secure-puttygen-ed25519.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/zan5xgbWMjmLX3Ps-secure-puttygen-ed25519.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/zan5xgbWMjmLX3Ps-secure-puttygen-ed25519.PNG)

\- change Type of key to generate: from "RSA" to "ED25519"

\- than klick Generate

\- move the mouse over the blank area under the green bar

[![Secure-puttygen.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/bBROtqb1VT54hf54-secure-puttygen.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/bBROtqb1VT54hf54-secure-puttygen.PNG)

\- replace the comment with something more specific for you connection; here it is the nextcloud server so i choose "nextcloud"

[![Secure-puttygen-comment.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/Ji6wA09A2SpOwOMQ-secure-puttygen-comment.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/Ji6wA09A2SpOwOMQ-secure-puttygen-comment.PNG)

\- now copy the shown key

[![Secure-puttygen-keyfile.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/lCNhZ2tiLGPW1gEZ-secure-puttygen-keyfile.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/lCNhZ2tiLGPW1gEZ-secure-puttygen-keyfile.PNG)

\- save this in a simple text file on your computer for later

\- click on "Save private key" and save it on your computer

\- you will be asked for a passphrase, this is to protect your private key file. It's up to you if you want to.

[![Secure-puttygen-save-private.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/YVJA7DoghFCxrl32-secure-puttygen-save-private.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/YVJA7DoghFCxrl32-secure-puttygen-save-private.PNG)

\- this .ppk file (here it is the nextcloud.ppk) is your secure private key and nobodyelse should have this. Please keep it save!

\- now log into your server you want to secure with this key using PuTTY

[![putty-server-login.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/bVHy6HSg4mOYTNHe-putty-server-login.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/bVHy6HSg4mOYTNHe-putty-server-login.PNG)

\- look if there is already a hidden .ssh folder in your home directory type in:

ls -la

\- if not, create one type in:

mkdir .ssh

\- change into this directory, type in:

cd .ssh

\- type in:

```shell
nano authorized_keys
```

\- copy the key you saved in a text file earlier

\- save and exit (STRG+O ; STRG+X)

\- now you can connect via putty to your server using your .ppk key file

\- open PuTTY

[![Secure-putty-select-keyfile1.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/bpvKiuGRuY2GV2vS-secure-putty-select-keyfile1.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/bpvKiuGRuY2GV2vS-secure-putty-select-keyfile1.PNG)

\- type in your hostname and port

\- on the left got to >"Connetion" >"SSH" >"Auth"

\- click on "Browse"

[![Secure-putty-select-keyfile2.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/WVw8Rr8Fx5iwALR8-secure-putty-select-keyfile2.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/WVw8Rr8Fx5iwALR8-secure-putty-select-keyfile2.PNG)

\- select your private key file (.ppk)

\- go back to "Session" and under "Save Sessions" give it a name and click "Save"

[![Secure-putty-select-keyfile3.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/guekySA0fB4gUpxn-secure-putty-select-keyfile3.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/guekySA0fB4gUpxn-secure-putty-select-keyfile3.PNG)

Now you have successfull saved your connection to your server with a key file.

When everything works fine and you can connect with your new keyfile it's time to disable the password authentication for ssh.

\- connect to your server

[![putty-server-login.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/bVHy6HSg4mOYTNHe-putty-server-login.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/bVHy6HSg4mOYTNHe-putty-server-login.PNG)

\- type in:

```shell
sudo nano /etc/ssh/sshd_config
```

[![ssh-sshd_config.PNG](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/scaled-1680-/FlMAvUIqMfyib8jd-ssh-sshd-config.PNG)](https://bookstack.borghoff.ddnss.de/uploads/images/gallery/2021-04/FlMAvUIqMfyib8jd-ssh-sshd-config.PNG)

\- search for:

\#LoginGraceTime 2m  
\#PermitRootLogin prohibit-password

\- change it to

\#LoginGraceTime 2m  
PermitRootLogin no

\- this disables the possible login via the user: root

\- next search for:

\# To disable tunneled clear text passwords, change to no here!  
\#PasswordAuthentication yes

\- change it to

\# To disable tunneled clear text passwords, change to no here!  
PasswordAuthentication no

\- save and exit (STRG+O ; STRG+X)

\- restart the ssh deamon;

\- type in:

```shell
sudo systemctl restart sshd
```

Now your server allows no longer connections without a key file.

# Fail2ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

More on [https://en.wikipedia.org/wiki/Fail2ban](https://en.wikipedia.org/wiki/Fail2ban)

# UFW - Uncomplicated Firewall

More here [https://help.ubuntu.com/community/UFW](https://help.ubuntu.com/community/UFW)

# Samba

lege folgende Ordnerstruktur mit den entsprechenden Rechten an

/media/share

drwxr-x--- 2 Christin erwachsene 4096 Apr 17 00:18 Christin/  
drwxrwx--- 2 root root 4096 Apr 17 00:29 Gemeinsam/  
drwxr-x--- 2 Jan1 erwachsene 4096 Apr 17 00:18 Jan/  
drwxr-x--- 2 Johanna kinder 4096 Apr 17 00:18 Johanna/  
drwxr-x--- 2 Sophie kinder 4096 Apr 17 00:28 Sophie/

Dafuer müssen die User und die entsprechenden Gruppen eingerichtet sein. Auch mit samba password etc.

# ddnss.de

[https://9minuti.com/ddns-updater-with-docker-and-raspberry/](https://9minuti.com/ddns-updater-with-docker-and-raspberry/)

# Error "/.well-known/caldav" etc

\- go to your Nginx Proxy Manager web page.

\- for your Nextcloud

Einfach bei NPM zu den ProxyHosts -> bei der passenden Domain auf "Edit" und in dem neuen Fenster auf "Advanced"

und die Werte eintragen:

location /.well-known/carddav {  
return 301 $scheme://$host/remote.php/dav;  
}

location /.well-known/caldav {  
return 301 $scheme://$host/remote.php/dav;  
}

Edited September 29 by i-B4se