ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Securing NextCloud

    Scheduled Pinned Locked Moved IT Discussion
    nextcloud 12nextcloudsecurityhardeninglinuxfedora serverfedorafedora minimal
    20 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wirestyle22W
      wirestyle22 @zachary715
      last edited by

      @zachary715

      Give PHP read access to /dev/urandom
      Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

      ^sounds like a great idea although I've never used it myself.

      zachary715Z 1 Reply Last reply Reply Quote 0
      • wirestyle22W
        wirestyle22
        last edited by

        Those security related headers sound pretty neat as well. I might try to harden up my nextcloud instance tonight. Should be fun.

        1 Reply Last reply Reply Quote 0
        • travisdh1T
          travisdh1 @zachary715
          last edited by

          @zachary715 said in Securing NextCloud:

          My question then is for those of you who install Nextcloud regularly, what steps do you consistently take to secure your setups?

          Change SSH port?

          Pointless, really. It takes someone a few seconds at most to find the port being used instead.

          Note: Use key based auth instead of password authentication wherever possible.

          Fail2ban?

          Fail2ban belongs on everything at all times, workstation or server.

          I'd also recommend rkhunter for the server.

          DMZ?

          Not really needed for NextCloud as the entire point is for it to be accessible online. You might want to consider putting a reverse proxy in front of it instead.

          How do your security measures differ (or do they) if installed locally vs colo vs Vultr?

          They don't. Solid security is something I want everywhere. If you've followed @JaredBusch's guide here, that already starts you off on a good footing with selinux remaining enabled.

          1 Reply Last reply Reply Quote 2
          • zachary715Z
            zachary715 @wirestyle22
            last edited by

            @wirestyle22 said in Securing NextCloud:

            @zachary715 said in Securing NextCloud:

            @wirestyle22 said in Securing NextCloud:

            @zachary715 fail2ban def

            I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

            I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

            Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

            wirestyle22W 1 Reply Last reply Reply Quote 0
            • wirestyle22W
              wirestyle22 @zachary715
              last edited by wirestyle22

              @zachary715 said in Securing NextCloud:

              @wirestyle22 said in Securing NextCloud:

              @zachary715 said in Securing NextCloud:

              @wirestyle22 said in Securing NextCloud:

              @zachary715 fail2ban def

              I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

              I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

              Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

              Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one thing to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you that vulnerable. I do think that it's worth you learning it though for sure.

              zachary715Z 1 Reply Last reply Reply Quote 2
              • zachary715Z
                zachary715 @wirestyle22
                last edited by

                @wirestyle22 said in Securing NextCloud:

                @zachary715

                Give PHP read access to /dev/urandom
                Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                ^sounds like a great idea although I've never used it myself.

                How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                wirestyle22W travisdh1T 2 Replies Last reply Reply Quote 0
                • wirestyle22W
                  wirestyle22 @zachary715
                  last edited by wirestyle22

                  @zachary715 said in Securing NextCloud:

                  @wirestyle22 said in Securing NextCloud:

                  @zachary715

                  Give PHP read access to /dev/urandom
                  Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                  ^sounds like a great idea although I've never used it myself.

                  How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                  I honestly have no clue as I've never done it before. I will probably attempt this tonight with my Nextcloud server. Create a thread about it.

                  1 Reply Last reply Reply Quote 0
                  • zachary715Z
                    zachary715 @wirestyle22
                    last edited by

                    @wirestyle22 said in Securing NextCloud:

                    @zachary715 said in Securing NextCloud:

                    @wirestyle22 said in Securing NextCloud:

                    @zachary715 said in Securing NextCloud:

                    @wirestyle22 said in Securing NextCloud:

                    @zachary715 fail2ban def

                    I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                    I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                    Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                    Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

                    Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

                    wirestyle22W 1 Reply Last reply Reply Quote 1
                    • wirestyle22W
                      wirestyle22 @zachary715
                      last edited by

                      @zachary715 said in Securing NextCloud:

                      @wirestyle22 said in Securing NextCloud:

                      @zachary715 said in Securing NextCloud:

                      @wirestyle22 said in Securing NextCloud:

                      @zachary715 said in Securing NextCloud:

                      @wirestyle22 said in Securing NextCloud:

                      @zachary715 fail2ban def

                      I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

                      I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

                      Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

                      Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

                      Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

                      Absolutely

                      1 Reply Last reply Reply Quote 0
                      • black3dynamiteB
                        black3dynamite
                        last edited by

                        You can also setup reverse proxy server in front of Nextcloud.

                        1 Reply Last reply Reply Quote 0
                        • black3dynamiteB
                          black3dynamite
                          last edited by

                          Install ‘dnf-automatic’ and configure it to automatically update Fedora.

                          1 Reply Last reply Reply Quote 1
                          • travisdh1T
                            travisdh1 @zachary715
                            last edited by

                            @zachary715 said in Securing NextCloud:

                            @wirestyle22 said in Securing NextCloud:

                            @zachary715

                            Give PHP read access to /dev/urandom
                            Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

                            ^sounds like a great idea although I've never used it myself.

                            How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

                            You don't. Everything should already have read access to /dev/urandom, you don't need to configure that.

                            1 Reply Last reply Reply Quote 0
                            • travisdh1T
                              travisdh1
                              last edited by

                              I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                              zachary715Z 1 Reply Last reply Reply Quote 2
                              • zachary715Z
                                zachary715 @travisdh1
                                last edited by

                                @travisdh1 said in Securing NextCloud:

                                I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                Yeah that's where this all started. It only states that I need to...

                                1. Modify/enable the HSTS header to at least 15552000 seconds
                                2. PHP OPcache not properly configured and to make changes to the php.ini.

                                From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                travisdh1T 1 Reply Last reply Reply Quote 1
                                • travisdh1T
                                  travisdh1 @zachary715
                                  last edited by

                                  @zachary715 said in Securing NextCloud:

                                  @travisdh1 said in Securing NextCloud:

                                  I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                  Yeah that's where this all started. It only states that I need to...

                                  1. Modify/enable the HSTS header to at least 15552000 seconds
                                  2. PHP OPcache not properly configured and to make changes to the php.ini.

                                  From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                  I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

                                  wirestyle22W 1 Reply Last reply Reply Quote 1
                                  • wirestyle22W
                                    wirestyle22 @travisdh1
                                    last edited by

                                    @travisdh1 said in Securing NextCloud:

                                    @zachary715 said in Securing NextCloud:

                                    @travisdh1 said in Securing NextCloud:

                                    I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

                                    Yeah that's where this all started. It only states that I need to...

                                    1. Modify/enable the HSTS header to at least 15552000 seconds
                                    2. PHP OPcache not properly configured and to make changes to the php.ini.

                                    From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

                                    I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

                                    Nice. Good going @scottalanmiller.

                                    1 Reply Last reply Reply Quote 0
                                    • 1 / 1
                                    • First post
                                      Last post