Securing NextCloud

zachary715

I have successfully installed Nextcloud thanks to the plethora of great content available from community members. The next step for me is how do I secure it? For that, Nextcloud has a great document found HERE which details some steps you can to better secure it. As a Linux noob, I don't have much of a clue as to how to even accomplish some of these things.

My question then is for those of you who install Nextcloud regularly, what steps do you consistently take to secure your setups? Change SSH port? Fail2ban? DMZ? How do your security measures differ (or do they) if installed locally vs colo vs Vultr? Any steps given on what you do would be appreciated as a learning tool for myself and others who come across this.

wirestyle22

@zachary715 definitely fail2ban at the very least.

Edit: Actually SSL certification as well.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

wirestyle22

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

wirestyle22

Those security related headers sound pretty neat as well. I might try to harden up my nextcloud instance tonight. Should be fun.

travisdh1

@zachary715 said in Securing NextCloud:

My question then is for those of you who install Nextcloud regularly, what steps do you consistently take to secure your setups?

Change SSH port?

Pointless, really. It takes someone a few seconds at most to find the port being used instead.

Note: Use key based auth instead of password authentication wherever possible.

Fail2ban?

Fail2ban belongs on everything at all times, workstation or server.

I'd also recommend rkhunter for the server.

DMZ?

Not really needed for NextCloud as the entire point is for it to be accessible online. You might want to consider putting a reverse proxy in front of it instead.

How do your security measures differ (or do they) if installed locally vs colo vs Vultr?

They don't. Solid security is something I want everywhere. If you've followed @JaredBusch's guide here, that already starts you off on a good footing with selinux remaining enabled.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one thing to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you that vulnerable. I do think that it's worth you learning it though for sure.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

I honestly have no clue as I've never done it before. I will probably attempt this tonight with my Nextcloud server. Create a thread about it.

zachary715

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

wirestyle22

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715 fail2ban def

I have installed in and enabled it, but for now that is it. Are there any specific config changes you typically make beyond what is default?

I assume you followed @JaredBusch's guide like I did. Having selinux and fail2ban is a good start. You got SSL working correct? I usually disable the ability to access the website via http:\\ as well.

Correct SSL and disabling http:// access were part of his guide. I'm trying to work my way through the hardening guide now, but it's requiring a lot of Google as it doesn't specify exactly where some of the files I need to edit are located and as a noob, I'm not sure where to look.

Well one thing I'll tell you is to not be discouraged. Everyone feels that way. You should pick one things to do on that list and then make a thread only about that thing. People will help you. I'd post more about it but honestly you've already done what I'm familiar with. Although you shouldn't think that your Nextcloud server is not secure. @JaredBusch would never put a guide out that left you vulnerable. I do think that it's worth you learning it though for sure.

Oh no this is all just learning for me. Yeah I'll use this Nextcloud for personal use, but I'm trying to learn it in case I ever want to implement on a business level. If I were, I'd want it as secure as possible therefore this will just help me learn some security principles as well as just navigating Linux in general.

Absolutely

black3dynamite

You can also setup reverse proxy server in front of Nextcloud.

black3dynamite

Install ‘dnf-automatic’ and configure it to automatically update Fedora.

travisdh1

@zachary715 said in Securing NextCloud:

@wirestyle22 said in Securing NextCloud:

@zachary715

Give PHP read access to /dev/urandom
Nextcloud uses a RFC 4086 (“Randomness Requirements for Security”) compliant mixer to generate cryptographically secure pseudo-random numbers. This means that when generating a random number Nextcloud will request multiple random numbers from different sources and derive from these the final random number.

^sounds like a great idea although I've never used it myself.

How would I execute this? Something like chmod xxx php /dev/urandom? Or am I needing to actually modify some config.php file?

You don't. Everything should already have read access to /dev/urandom, you don't need to configure that.

travisdh1

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

zachary715

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

travisdh1

@zachary715 said in Securing NextCloud:

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

wirestyle22

@travisdh1 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

1. Modify/enable the HSTS header to at least 15552000 seconds
2. PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

Nice. Good going @scottalanmiller.