TLDR: I have a specific question I’d like to ask - I am planning to run a NextCloud on Raspberry Pi 4 with JBOD. To access from outside my home network, I will be using a DynDNS system and portforwarding to SSL. Before, I portforwarded a random high-range port to http internally, but SSL through letsencrypt will not certify this way, sadly. This seems only mediocrely secure, even in my book. Is there some smart solution to make this more secure? I am wondering whether I should set up a VPN on a different machine and only make the NextCloud accessible when accessed through the VPN, but that would make it a hassle to be accessible for project partners. Is there a way to make an SSL system a bit more secure? Sure: long passwords, but other than that?
Thanks for any thoughts!
The backstory: Two months into my Office 365 experience, I have pulled the plug on trying to warm up to OneDrive (for business). While there is one good feature (having unsynced stuff show up locally) in theory, there are also many cumbersome characteristics (e.g., not being able to simply share a folder with someone, but the need to be signed up on the other Office tenant as a guest user and so on). Suffices to say: I can imagine this to be useful for corporate users, alas - I am not a corporate user. The amount of update emails and configuration sites simply was a tad too much.
So back to NextCloud I come, this time a bit more educated. I bought a Yottamaster 5-bay harddrive enclosure for my JBOD assortment, simply to have it tidied up a bit. Seems to be working nicely and looks better than my wild cable-and-devices-bunch before.
The best bet is to put the Raspi into the DMZ and only allow it to poke through to the JBOD share, although I’d rather use raid.
Using a high port number doesn’t really bring any notable security. It might take a few seconds longer to find, but it doesn’t make you any less vulnerable.
The important things are that the OS and NextCloud are fully patched and correctly configured, and that any superfluous packages are removed. That brings a lot more than using a different port.
I’d also ensure that snapshots are turned on in the storage device and that you are making regular, rotated backups, at least Monday to Thursday, plus 4 or more rotating Friday backups, for example.
Got it. RAID always feels a bit like black magic to me. I am obviously hopelessly outdated on this, but I once had a bad weekend getting a previously set-up RAID back to work and that was not fun. But I think that’s almost twenty years back now when I tried to make my games run quicker with a stripe RAID (and feared losing savegames, so pretty important stuff). It will be much better today.
Yeah, it kind of felt like that - if someone would really want to spend the time to attack me, it would probably be nothing much. But ok, at least it’s a consolation that it does not really hurt in that way to go SSL and not “random port unencrypted” snakeoil.
Gotcha. Will try to do that. I have to look into the option to auto-update NC. That would be perfect. But other than that, it appeared easier to be kept up to date than OwnCloud - at least IMHO.
Check! I am going to set up a second Raspi with two more drives to rotated-rsync to and make sure to set the snapshots!
I don’t know if you read c’t, but they had a series of articles on how to set up NextCloud and they also have a Github script to autobuild and update a NextCloud installation.
Security through obscurity never works, so yeah, we need to make sure that the systems themselves are pretty robust.
Putting aside the discussion about OneDrive for Business being the right choice for you, I would be really cautious about running any service facing the Internet. Especially when you wanna deal with important data, which, in this case, might also be of your partners’.
Such services require constant management and monitoring, and obviously, threat detection solutions. It’s all a matter of cost but doing it right on a small scale could actually be pretty pricey. Unless you’re willing to sacrifice the security.
Does the NextCloud setup allow you to specify the requirement for client certificates? I’ve never used them, but I’m led to assume they’re similar to SSH key based authentication. It’s not really possible to password guess when you need a certificate to authenticate… (at least the attackers haven’t really decided to waste their time on that approach, yet ) Alternatively, if it supported SQRL that would be quite helpful to keep password guessers at bay. Does it, or can it, run fail2ban, or something like it, to put persistent time wasters on a drop list?
Thank you for the reminder. I will try my best. That thought originally brought be to OneDrive. Coming from Dropbox before, I rediscovered the uneasy feeling of having my data somewhere in the cloud as opposed to somewhere in my cabinet. I do appreciate the sentiment. It shall be my challenge.
That’s an excellent thought I shall investigate. Thank you for this! I might even look out for a Yubikey plugin to NextCloud and use that thing. Thanks!
There’s a way round the lets encrypt restrictions of running on 443 and that’s to use domain validation with a txt record. This assumes you own a domain that is and your domain host allows you to full control of DNS.
Then when you go through the verification process for let’s encrypt you can choose to use a txt record in your mydomain.com DNS to validate the domain and then you can run your service on any port you wish.
That’s interesting to learn - thank you for pointing this out! I’d always expected that changing the port after the fact would be considered a corruption of the SSL certificate and “simply not work”. I’ll consider it. There is so much to be learned about interesting DNS tricks…
I run many services on my pi4 via docker containers. Using something like Nginx Proxy Manager or Traefik will help you set things up properly for external access while remaining secure.
That’s a great idea, but I am completely oblivious to Docker. Just keep hearing about it more and more. Sounds like black magic to me. And since you’re darcmage, I feel somewhat confirmed in thinking so. Do you have a favourite place to start if you’re a Docker newbie?
BTW: welcome to the community and thanks for helping out!
(deleted previously since I always fail to click the right “reply” button)
Docker can be daunting when you first start using it but it’s fairly user friendly even when managed through the command line. I followed this guide when I first started and it looks like it has been kept up to date. After you get it installed, I recommend starting with a few basic containers like rpi-monitor and portainer to help you get the hang of things before moving on to something more advanced like nextcloud.
And thanks for the welcome, “long time listener, first time caller”
P.S: Youtube has many helpful tutorials on docker and most of the containers you’ll probably end up installing. This looks like a good place to start.
I am not an expert and all this could be insecure/wrong…
I run Fail2ban on my Pi Nextcloud server. It is installed separately from Nextcloud from the sudo apt command on the Pi.
From a previous thread on TWIT if you install NextcloudPi, which is a sort of pre configured complete Pi/Nextcloud image https://ownyourbits.com/nextcloudpi/#content_start it installs Fail2Ban and a Let’s Encrypt SSL cert for you and in theory gives you an out of box “secure” setup. I have not used NextcloudPi as I installed everything separately LAMP/Fail2Ban/Nextcloud/Let’s Encrypt etc.
Nextcloud also has a brute force protection built in. And 2FA options, if required. Under Settings —> Security.
I have an OPNsense(PF Sense fork) https://opnsense.org/ box I built again with IDS/IPS, which my servers are behind. My Nextcloud installation does not get much abuse reaching it.(I’m aware off that is) On the other hand my email server in always under attack. If you do not mind ProofPoint getting attack data from your OPNsense box then you can get the ETPRO rules for free. They call it the ET Pro Telemetry edition but it seems the same from what I have seen. https://shop.opnsense.com/
Just make sure all passwords are good and keep up to date with patches. Nextcloud also has a good config for password hardness and also checks https://haveibeenpwned.com/ for any chosen combo if required. Under Settings —> Security.
The only issue I ever had was when experimenting with MyPHPadmin and I used a simple password… Luckily I was looking through the server logs and saw a brute force attack taking place and the intruder get in. I nuked the install and used a backup image. Remember Fail2Ban only works on the modules you enable/add and configure properly. As my understanding is that it checks logs for errors/strings indicating errors and bans. So if you only have the SSH module activated then Apache would be wide open to attack.
Wow - very cool - thank you very much! This comes close to a tutorial. Happy to report that I actually did go the NextcloudPi route and ticked about every box from Fail2Ban to Let’s encrypt, updates, etc. I’ll go through your comment with a fine comb and see whether I missed a good idea. Much appreciated, in any case! Have a good weekend!
I have just come across this from Ubuntu. They have “Appliance Images” and installation instructions. This page lets you pick your appliance, like a Pi or a NUC. Firing up a VM now to test! https://ubuntu.com/appliance/nextcloud
It will be much better today.
