ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Securing NextCloud

    Scheduled Pinned Locked Moved IT Discussion
    nextcloud 12nextcloudsecurityhardeninglinuxfedora serverfedorafedora minimal
    20 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wirestyle22W
      wirestyle22 @zachary715
      last edited by wirestyle22

      @zachary715 definitely fail2ban at the very least.

      Edit: Actually SSL certification as well.

      zachary715Z 1 Reply Last reply Reply Quote 0
      • zachary715Z
        zachary715 @wirestyle22
        last edited by

        @wirestyle22 said in Securing NextCloud:

        @zachary715 fail2ban def

        I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

        wirestyle22W 2 Replies Last reply Reply Quote 0
        • wirestyle22W
          wirestyle22 @zachary715
          last edited by wirestyle22

          @zachary715 said in Securing NextCloud:

          @wirestyle22 said in Securing NextCloud:

          @zachary715 fail2ban def

          I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

          I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

          zachary715Z 1 Reply Last reply Reply Quote 1
          • wirestyle22W
            wirestyle22 @zachary715
            last edited by

            @zachary715

            Give PHP read access to /dev/urandom
            Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

            ^sounds like a great idea although I've never used it myself.

            zachary715Z 1 Reply Last reply Reply Quote 0
            • wirestyle22W
              wirestyle22
              last edited by

              Those security related headers sound pretty neat as well. I might try to harden up my nextcloud instance tonight. Should be fun.

              1 Reply Last reply Reply Quote 0
              • travisdh1T
                travisdh1 @zachary715
                last edited by

                @zachary715 said in Securing NextCloud:

                My question then is for those of you who install Nextcloud regularly, what steps do you consistently take to secure your setups?

                Change SSH port?

                Pointless, really. It takes someone a few seconds at most to find the port being used instead.

                Note: Use key based auth instead of password authentication wherever possible.

                Fail2ban?

                Fail2ban belongs on everything at all times, workstation or server.

                I'd also recommend rkhunter for the server.

                DMZ?

                Not really needed for NextCloud as the entire point is for it to be accessible online. You might want to consider putting a reverse proxy in front of it instead.

                How do your security measures differ (or do they) if installed locally vs colo vs Vultr?

                They don't. Solid security is something I want everywhere. If you've followed @JaredBusch's guide here, that already starts you off on a good footing with selinux remaining enabled.

                1 Reply Last reply Reply Quote 2
                • zachary715Z
                  zachary715 @wirestyle22
                  last edited by

                  @wirestyle22 said in Securing NextCloud:

                  @zachary715 said in Securing NextCloud:

                  @wirestyle22 said in Securing NextCloud:

                  @zachary715 fail2ban def

                  I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                  I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                  Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                  wirestyle22W 1 Reply Last reply Reply Quote 0
                  • wirestyle22W
                    wirestyle22 @zachary715
                    last edited by wirestyle22

                    @zachary715 said in Securing NextCloud:

                    @wirestyle22 said in Securing NextCloud:

                    @zachary715 said in Securing NextCloud:

                    @wirestyle22 said in Securing NextCloud:

                    @zachary715 fail2ban def

                    I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                    I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                    Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                    Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one thing to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you that vulnerable. I do think that it's worth you learning it though for sure.

                    zachary715Z 1 Reply Last reply Reply Quote 2
                    • zachary715Z
                      zachary715 @wirestyle22
                      last edited by

                      @wirestyle22 said in Securing NextCloud:

                      @zachary715

                      Give PHP read access to /dev/urandom
                      Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                      ^sounds like a great idea although I've never used it myself.

                      How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                      wirestyle22W travisdh1T 2 Replies Last reply Reply Quote 0
                      • wirestyle22W
                        wirestyle22 @zachary715
                        last edited by wirestyle22

                        @zachary715 said in Securing NextCloud:

                        @wirestyle22 said in Securing NextCloud:

                        @zachary715

                        Give PHP read access to /dev/urandom
                        Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                        ^sounds like a great idea although I've never used it myself.

                        How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                        I honestly have no clue as I've never done it before. I will probably attempt this tonight with my Nextcloud server. Create a thread about it.

                        1 Reply Last reply Reply Quote 0
                        • zachary715Z
                          zachary715 @wirestyle22
                          last edited by

                          @wirestyle22 said in Securing NextCloud:

                          @zachary715 said in Securing NextCloud:

                          @wirestyle22 said in Securing NextCloud:

                          @zachary715 said in Securing NextCloud:

                          @wirestyle22 said in Securing NextCloud:

                          @zachary715 fail2ban def

                          I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                          I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                          Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                          Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

                          Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

                          wirestyle22W 1 Reply Last reply Reply Quote 1
                          • wirestyle22W
                            wirestyle22 @zachary715
                            last edited by

                            @zachary715 said in Securing NextCloud:

                            @wirestyle22 said in Securing NextCloud:

                            @zachary715 said in Securing NextCloud:

                            @wirestyle22 said in Securing NextCloud:

                            @zachary715 said in Securing NextCloud:

                            @wirestyle22 said in Securing NextCloud:

                            @zachary715 fail2ban def

                            I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                            I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                            Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                            Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

                            Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

                            Absolutely

                            1 Reply Last reply Reply Quote 0
                            • black3dynamiteB
                              black3dynamite
                              last edited by

                              You can also setup reverse proxy server in front of Nextcloud.

                              1 Reply Last reply Reply Quote 0
                              • black3dynamiteB
                                black3dynamite
                                last edited by

                                Install ‘dnf-automatic’ and configure it to automatically update Fedora.

                                1 Reply Last reply Reply Quote 1
                                • travisdh1T
                                  travisdh1 @zachary715
                                  last edited by

                                  @zachary715 said in Securing NextCloud:

                                  @wirestyle22 said in Securing NextCloud:

                                  @zachary715

                                  Give PHP read access to /dev/urandom
                                  Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                                  ^sounds like a great idea although I've never used it myself.

                                  How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                                  You don't. Everything should already have read access to /dev/urandom, you don't need to configure that.

                                  1 Reply Last reply Reply Quote 0
                                  • travisdh1T
                                    travisdh1
                                    last edited by

                                    I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                    zachary715Z 1 Reply Last reply Reply Quote 2
                                    • zachary715Z
                                      zachary715 @travisdh1
                                      last edited by

                                      @travisdh1 said in Securing NextCloud:

                                      I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                      Yeah that's where this all started. It only states that I need to...

                                      1. Modify/enable the HSTS header to at least 15552000 seconds
                                      2. PHP OPcache not properly configured and to make changes to the php.ini.

                                      From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                      travisdh1T 1 Reply Last reply Reply Quote 1
                                      • travisdh1T
                                        travisdh1 @zachary715
                                        last edited by

                                        @zachary715 said in Securing NextCloud:

                                        @travisdh1 said in Securing NextCloud:

                                        I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                        Yeah that's where this all started. It only states that I need to...

                                        1. Modify/enable the HSTS header to at least 15552000 seconds
                                        2. PHP OPcache not properly configured and to make changes to the php.ini.

                                        From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                        I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

                                        wirestyle22W 1 Reply Last reply Reply Quote 1
                                        • wirestyle22W
                                          wirestyle22 @travisdh1
                                          last edited by

                                          @travisdh1 said in Securing NextCloud:

                                          @zachary715 said in Securing NextCloud:

                                          @travisdh1 said in Securing NextCloud:

                                          I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                          Yeah that's where this all started. It only states that I need to...

                                          1. Modify/enable the HSTS header to at least 15552000 seconds
                                          2. PHP OPcache not properly configured and to make changes to the php.ini.

                                          From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                          I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

                                          Nice. Good going @scottalanmiller.

                                          1 Reply Last reply Reply Quote 0
                                          • 1 / 1
                                          • First post
                                            Last post