I have installed NextCloud AIO (version 31.0.9.1) on a laptop at home that’s running Linux Mint. I set up 2FA for all users except a guest account (which I plan to delete), and also updated the built-in brute force protection app to activate after 3 failed login attempts. My server has an A+ security rating, and I also plan to set up daily backups.
However, I’m noticing lots of discussion online about the potential risks of forwarding ports 80 and 443. It is a bit disconcerting to know that anyone in the world could make it to the login page of my server. However, I also feel that having 2FA, strong passwords, and brute-force protection in place should mitigate this risk. Plus, the benefits of a publicly-accessible server (e.g. easy link sharing with other people) may outweigh the costs in my case.
I’m also considering making my server available only (1) on my local network or (2) via Wireguard, but perhaps that’s not necessary?
A few specific questions:
I saw advice online to harden one’s ports via a reverse proxy, but the AIO documentation suggests that this isn’t necessary. Would implementing a reverse proxy make my AIO setup any safer than it already is?
I’ve also seen discussions of the benefits of a DMZ for web servers. Would setting up such a DMZ increase the security of my deployment? The Linux laptop on which NextCloud is running is being used almost exclusively for NextCloud (though I’m also running an hourly Python script on it).
Please also find the admin guide, it gives you more details
It also contains a section concerning Letsencrypt, which additionally uses port 80. Any other access to port 80 becomes redirected to port 443 (SSL) on the Nextcloud.
Thanks for the link and the clarification about Port 80! It seems like many of the security tips it provides pertain to a more custom-built version of NextCloud rather than the AIO version. But I could be mistaken.
Sure there are brute force attacks like admin admin to gain access to a system to send spam mails or something. Or my first teamspeak server was “captured” from some nice guys that I had funny talks with afterwards. But your Nextcloud instance that has bruteforce protection and 2FA? Nothing I personally would worry about.
It of course also depends on your use-case If you want to share files to anyone outside your network or to someone who you don’t want to let into your network via VPN, then you’ll have to make it available on the Internet. Otherwise I’d prefer making it available only on your network/VPN.
Secure passwords/2FA/… help securing your accounts but won’t help against vulnerabilities in the software itself. So it’s always a good idea to reduce attack surface and only make a service available to the Internet, if it’s really needed
Great points, thank you! I’ve been trying to get a local-only AIO instance set up, since I agree that it would be ideal to make it accessible only via a VPN. However, I’m running into some difficulties with the setup process.
I’m thinking that an alternative approach might be to use a public-facing AIO installation while storing very sensitive files (e.g. financial records) on NextCloud via a VeraCrypt container, or even an eCryptFS folder. This would be a bit of an inconvenience for me, since I couldn’t simply view them online. However, even if someone did make it into my account, they still won’t be able to view the data.
Obviously, having trouble with a more secure approach isn’t a good reason in itself to choose a less secure approach. However, it would be nice to be able to share files publicly if needed, which I couldn’t do with the VPN. . .
Your accounts are protected, but you still need to consider software vulnerabilities. Reduce the number of plugins/apps you have installed (code that isn’t there cannot get hacked), make sure you keep everything updated automatically (Nextcloud, webbserver, mods, plugins, browsers, prowserplugins, and so on.) If the Nextcloud instance (against all odds) get hacked you may want to look at consequence-reducing measures. Instead of veracrypt I am using Cryptomator to to sync encrypted files to cloudservices. That way I only need to sync the files that was changed and not everything else. I would also try to run the Nextcloud/webserver service under an unprivileged account. Separating the installation on a separate network may be worth while - IF you have anything else on that same network that you care about?
If you want to share files to anyone outside your network or to someone who you don’t want to let into your network via VPN, then you’ll have to make it available on the Internet. Otherwise I’d prefer making it available only on your network/VPN.