Securing NextCloud

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one thing to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you that vulnerable. I do think that it's worth you learning it though for sure.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

I honestly have no clue as I've never done it before. I will probably attempt this tonight with my Nextcloud server. Create a thread about it.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

Absolutely

black3dynamite

You can also setup reverse proxy server in front of Nextcloud.

black3dynamite

Install ‘dnf-automatic’ and configure it to automatically update Fedora.

travisdh1

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

You don't. Everything should already have read access to /dev/urandom, you don't need to configure that.

travisdh1

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

zachary715

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

travisdh1

@zachary715 said in Securing NextCloud:

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

wirestyle22

@travisdh1 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

Nice. Good going @scottalanmiller.