Im new to linux and im trying to secure my vps. I've installed all the basics on it but i still dont feel like its secure enough i constantly see bots/people trying to gain access to my server. Im wondering if there's anyone else out there that uses their vps for a storage solution.

What I'm going to use it for. I need to store work documents/photoshop stuff on it mainly nothing financial but mainly just need security that my files will not be taken because it will have information regarding upcoming events not to be released to the public yet. I mainly will be accessing these files and changing it. Like photoshop files.

What I've been thinking of using was owncloud because it can just sync all my changes on the photoshop files. But I'm concerned about the security of it if someone gains access to my vps. Even if i have encryption enabled the user keys are on the server anyways people can just decrypt the files.. or am i wrong?

Thanks.

A correctly configured passwordless ssh/sftp server is the safest choice if safety is what you're after... The most common way to have things stolen from you are from unencrypted transmissions over the internet or even LAN..

And no, private user keys shouldn't be on the server and the host providing you with a the vps shouldn't have any way to decrypt them, but there are harder ways for them.. Anyway, I would worry about them...

hmm for sftp is there any software that auto updates on only changes to certain files?

Maybe you should tell us what those basics are.

sorry about that.

Basically Fail2ban, set it up for 3 tries then 1 hr ban. disabled root access, setup google 2-factor authenticator, setup ufw, and about it =/. Owncloud currently is installed encryption is set turned on but i read that if people were to accessed the server they can access the files anyways since the decrption key is on the server it self

No.. but if the live system is to be compromised, encryption wouldn't really matter, would it!? File system encryption is good for laptops or stuff like that (btw, are you talking about some OwnClowd encryption or a complete filesystem encryption)... What you must focus on is the ownclowd installation... If you use it to store your files and that installation gets compromised, then you're pretty much screwed.. Also, at least be sure to use https.. The biggest thread still remains unencrypted transmission of data

This is somewhat 'normal' in today's day and age on the 'net.
I take a less forgiving approach, 1 try and a 1 year ban. I examine my log files religiously.

That is what the encyption doc says, is that the same reference you read and are referring to?

I use the explicitly allowed technique to protecting what is mine. Deny from all and allow from known_IPs, where IP0 may be the house, IP1 may be the laptop, IP2 may be a static IP at work, (I don't advocate doing personal stuff on Company assets, best to not 'go there')

deny from all
allow from <your_ip0>
allow from <your_ip1>
allow from <your_ip2>

fail2ban is good on a default install. Have you done much beyond that to inhibit or prevent these bots?

Don't do that without a "backdoor" plan... Not even with keys... It's way to easy to lock yourself up by mistake or by a curios neighbour which monitors your wifi, etc..

If this is indeed what you are refering to, then you need to take a little time and play with it.. I don't really understand if the private key is further encrypted with your password (in which case it's safe) or not... And see what happens if you remove the recovery-key from the server and put it only when need you need it..

But that still doesn't protect you if someone manages to steal your credentials somehow (again.. https only, I hope)..

Yes, if you can do this.. do it .. However, in practice, it's hard and since the OP has ownCloud I presume he won't access his cloud only from his home (or, maybe, like me, he doesn't have a static IP)...

To be honest.. I would only allow 127.0.0.1 to access the web-server and then use the ssh server as a SOCKS proxy for my browser to access the data if it's that important.. That way you have only one good and secure service to protect (SSH) and encryption and all others are just bonuses..

My backdoor plan is

ah yes that's where I read about the encryption about owncloud. Thats why I was worried about using it for storing my work files. But it just provided such ease of access/resync files. I haven't done anything else to prevent the bots.

I also can log in via my vps company control panel from there I can just log in to root and etc. I will be changing that password to something 20 characters long because if someone guess my email+password they would gain access to my server anyways with root. i was thinking of setting up a vpn on the vps.

So i guess in the end the best practices is just to avoid owncloud. Remove root access, set more strict fail2ban settings and do ssh/sftp.

Just encrypt your stuff before uploading and owncloud encryption?

sorry a bit new to encrypting. My folder of files atm is about 50gb atm how should i go about encrypting things..

Since you're new to Linux, I would rely on http://doc.owncloud.org/server/6.0/a...es_encryption/ and secure access to your owncloud installation.

Oh yes ATM I do have owncloud encryption on just that im worried that if someone gained root access to my server somehow. Can they possibly view those files on owncloud even with owncloud encryption.

The user’s password is used as the key to decrypt their data. This means that if the user loses their login password, data will be lost.
It appears to me that a combination of the encryption key PLUS the user's password is used to en|decrypt files stored in owncloud.

If someone has root on your box, you have bigger fish to fry than owncloud-stored files.

So, unless owncloud stores users' passwords in the database in clear text (doubt it, someone would have screamed to high Heaven by now),
and having root and access to the files...

So, we can take away from this exercise:
1.) you have secured access to the box in a satisfactory manner.
2.) You have owncloud encryption ON.

you should be good.

But don't take my word for it. Try to acquire an encrypted file yourself (without using your owncloud user password) and try to open it.