Secure Remote File Sharing Setup Help Needed

[Kurt_31]

@Master Disaster @Eigenvektor @Akolyte @Pixel5

 

So the time has come, the hardware I was waiting for will be arriving today. I've done some research here and there in the meantime and have somewhat of a plan. I'd just like to run it all by everyone first in case I've missed something crucial.

 

- Install Ubuntu Server 20.04.2 LTS on my designated server pc. Hardware is an AMD A8-6600k CPU, 8BG DDR3 RAM (I can add another dimm to achieve 16GB if recommended) and a 500GB SSD. Connected to my router via ethernet cable so my internal IP address does not change.

 

- Install openssh-server and allow port 22

 

- Move over to my main pc and access the server via CMD prompt using SSH and login credentials

 

- Follow the following tutorial substituting in the latest version of NextCloud https://www.techrepublic.com/article/how-to-install-nextcloud-19-on-ubuntu-server-20-04/

 

From here is where I get a little confused. From what I understand I will need to forward port 22 in my router setting to the IP address of my server to allow external access, however I'm unsure how to make this secure and how to initiate the connection on the remote end.

 

I am going to be calling my ISP today and upgrading my plan in order to get a Static IP address and as an added bonus my speeds will increase from 100/20 up to 100/40. I also intend to setup a website in the future and have found an available domain name that I like. I'm happy to purchase that domain now if that will make life easier. Ideally I want to be able to access the Nextcloud server remotely by simply typing into a browser www.mydomainname.com.au/cloud or via the Nextcloud app once I look into how that is setup, then to use individual login credentials in the Nextcloud interface.

 

So from what I understand having the Static IP address will eliminate the need to use a DDNS service? And will having my own domain name require me to setup a webserver on the Server pc as apposed to using apache? I feel confident in researching and setting up everything however it is knowing what the features/apps are called that I require that i get stuck on.

 

i.e. I can work out how to remotely connect to the server pc from my main pc on the network because I know it is referred to as a 'remote connection' and can google the process, its working out that its called a 'remote connection' that I struggle with. 

 

Hopefully that all makes sense, and once again thanks in advance for all and any help offered.

 

Cheers,

Kurt

[Eigenvektor]

1 hour ago, Kurt_31 said:

From here is where I get a little confused. From what I understand I will need to forward port 22 in my router setting to the IP address of my server to allow external access, however I'm unsure how to make this secure and how to initiate the connection on the remote end.

Communication over SSH is encrypted, so it is secure. However SSH is a popular goal for botnets to get into, since it allows control of the remote machine. So you should never use a weak password, or ideally no password at all and use private/public-key authentication instead: https://serverpilot.io/docs/how-to-use-ssh-public-key-authentication/

 

You should also disable root login and instead only allow "normal" users to log in, who then become root either through su. This way, if someone were to compromise the user's credentials they still can't do overly much unless they also manage to compromise root's credentials.

 

For extra security you probably don't want SSH exposed to the internet at all and instead use a VPN connection and then SSH through that VPN connection.

 

1 hour ago, Kurt_31 said:

So from what I understand having the Static IP address will eliminate the need to use a DDNS service?

With a static IP you can use a regular DNS service instead of DDNS. But you still need to get a domain name from someone, you can't "invent" your own.

 

1 hour ago, Kurt_31 said:

And will having my own domain name require me to setup a webserver on the Server pc as apposed to using apache?

Apache is a web server, so I'm not quite sure what you mean by "as opposed to Apache"? In any case you don't need a web server to make use of a domain name. A domain name simply replaces the IP address as a more friendly alternative, e.g. for SSH.

 

Instead of "ssh user@1.2.3.4" with a domain name you can do "ssh user@hostname.com". No web server needed for this to work, but you still need a domain name from a DNS provider.

[Kurt_31]

1 hour ago, Eigenvektor said:

With a static IP you can use a regular DNS service instead of DDNS. But you still need to get a domain name from someone, you can't "invent" your own.

 

Apache is a web server, so I'm not quite sure what you mean by "as opposed to Apache"? In any case you don't need a web server to make use of a domain name. A domain name simply replaces the IP address as a more friendly alternative, e.g. for SSH.

Sorry my wording may have been poor, I realise you cannot just invent a domain but need to buy (well actually rent) a domain name from a domain provider. You're reply has given me a better understanding though and I have looked up the Domain Provider I intend to use and they provide the DNS service for free.

 

And I've just looked up what apache actually is so I now see why my statement would make no sense. I see that I don't need apache to use SSH, but I believe I will need it in order to use the Nextcloud server.

 

Thanks heaps for your help, I should be ready to have a good attempt at this now. 

[Eigenvektor]

53 minutes ago, Kurt_31 said:

And I've just looked up what apache actually is so I now see why my statement would make no sense. I see that I don't need apache to use SSH, but I believe I will need it in order to use the Nextcloud server.

Right. OpenSSH is a standalone service (that uses the SSH protocol), so it doesn't need anything else.

 

Nextcloud on the other hand is not a standalone application. It relies on a web server to host its web UI and provide access to its API. This is the case for most applications that run over HTTP(S). Apache is one such web server, but there are others like nginx or IIS.

 

It is rare for a web app to come with a built in web server (at least these days), because it means it isn't as easy to run it in combination with other web apps you might want to host on the same server (e.g. webmail, blog, forum). So instead most just "plug into" an existing web server (it also mean you just need to configure and secure one service instead of a dozen).