Beware to fall into the trap of outdated docs and false advice

Beware to fall into the trap of outdated docs, false advice and not enabling the appropriate security measures.
:warning:

Please find a more current documentation available as:

Last not least the German (DE) community may consider this worth a read:

Unfortunately, the article links to the b.m. Nextcloud Security Scan page with outdated NC 13 docs.

:shield:
NOTE: The URL input field of the Nextcloud Security Scan page seems to be correct and one can get an actual security report as should be appropriate. However, the line “hardening tips in our hardening guide” of same page is pointing to outdated content.

This is rather unfortunate and may hurt the security awareness of the NC user community.

Obviously, Nextcloud at least sometimes appears as if far too lazy in updating their online documentation and this can be quite misleading.
:smirk:


Only today I became aware of this unfortunate situation after lending a hand to someone calling for protection against brute-force attacks who was following outdated documentation apparently.

@Jospoortvliet I would hope that both the user community and Nextcloud GmbH seek to improve this situation as soon as possible and as sustainable as reasonable.

Hope this helps.
:smile:

4 Likes

The brute force app is enabled by default (at least in NC 17)… did the user disable the app?

@Paradox55 Thank you. However, I addressed this in the a.m. advice already.

Do not hesitate to either establish a new thread in the bruceforcsettings category yourself or make a comment to my proposals there. I am happy to learn & improve.
:cowboy_hat_face:

@TP75:

Note that on every doc page on the top right there is a link where you (“the user community”) can improve the documentation (“Edit on GitHub”). Thanks!

Thank you. I am aware of this and did some little contrib of my own in the past already. You could until today find this merged in some admin manual and other pages, presumably.


However, my main concern is the Nextcloud Security Scan page. :warning:

AFAIK this is a quite prominent page and cannot be edited by an imbecile like me, I presume.
:innocent:

You could give it a try https://github.com/nextcloud/nextcloud.com :wink:

@j-ed Did you?

:smiling_imp:

In principle maybe yes. In practice I cannot consent and see the responsibility at Nextcloud GmbH as a business and the acc. P&R and IT Sec personal involved. Nevertheless I took the effort to CC one of them specifically in the above already or did you miss this detail?
:smirk:

BTW do not blame the messenger.
:innocent:


Addendum

I gave it a try and it did not check out for me.

The page https://scan.nextcloud.com/ is located on a server of its own and outside the Wordpress GitHub structure of nextcloud/nextcloud.com apparently. Me briefly scanning GitHub was not helping or I am too lazy.

@j-ed I am an imbecile and not worth to commit as mentioned above.
q.e.d.
:innocent:

3 Likes

scan.nextcloud.com doesn’t seem to have a high priority. It can be very useful (e.g. like the certificate check at ssllabs) but only if it is working… we shouldn’t have feature that we are not able to maintain.

Documentation is a good point. There was even a talk about it on the last conference:


(https://www.youtube.com/watch?v=Cpug8Iqw3f8)

Even if new features are announced and some time available, there is nothing or very little about them in the documentation (e.g. end-to-end encryption).

1 Like

@tflidd — Thank you for your fair and reasonable answer.

However, learning the below from a presumed member of Nextcloud GmbH and our community leader of this forum:

And learning this from a.m. web page of Nextcloud GmbH currently::

Check the security of your private Nextcloud server

Privacy does not exist without security.
To help you keep your data yours, this scan analyzes the
security of your server and gives you an overview of what to improve.

I feel some obligation in my private capacity a a member of this home user forum and may stress my current concern again by a rephrase:

By scan.nextcloud.com one by official invitation of Nextcloud GmbH can get a security audit report. However, the line “hardening tips in our hardening guide” of same page is pointing home users and admins of private NC servers to outdated content which may hurt the security awareness of the NC user community.

This is rather unfortunate and Nextcloud GmbH should provide the appropriate update to the a.m. official online content in due time at their earliest convenience.

CC @j-ed @jospoortvliet

I am just a community member and this is just an impression I got from the official discussions and bug reports on public feedback.

Don’t expect too much. It’s just supposed to checks things that are visible from outside, e.g. if the version is up to date and if the data-folder is not readable. You could still run unpatched php versions, run an openly accessible database, weak passwords, …

If the feature is kept in future versions, an update for each version should be part of the release procedure, like it was on the list in the past:

1 Like

You say: Don’t expect too much?

As the most deployed self-hosted file sync and content collaboration platform, Nextcloud offers the widest range of add-on capabilities and integrations in the industry.
https://nextcloud.com/compare/

In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.

As a contributor, ensure that you give full credit for the work of others and bear in mind how your changes affect others. It is also expected that you try to follow the development schedule and guidelines.

https://nextcloud.com/contribute/code-of-conduct/

Come on, yes we can. Stay positive and meet the endeavours, I would say.

Happy hacking.
:sunflower:

What do you suggest? A quick scan from outside can reveal some basic stuff, not detailed configuration problems or permission settings. A deeper scan could get legally difficult, and even then it’s doubtful. It’s more efficient to check directly on the system with on-board tools and then it’s quickly more general than just Nextcloud and more about how to secure a linux webserver.

@tflidd - - The webadmin should update the page “© 2018 -> © 2019” and repair the link (NC 13 -> NC 16).

Hi there, always good to have a lively discussion.

IMHO your technical analysis is quite correct and the scan service provided by Nextcloud GmbH seems to be reasonable. Please note I never gave any concern of my own on these aspects.

IMHO by mainly (or may I say: only?) addressing the technical aspects of the a.m. scan itself you may have almost completely misunderstood my approach from the beginning. Unfortunately, you may have missed my several core points, which – without any difference in priority by the below sequence – are:

  1. The a.m. URL shows a page which is outdated (e.g., © 2018) and providing a quite misleading link to completely outdated NC 13 documentation.
  2. As a home user when “expected that you try to follow the … guidelines” one may stick to the letter and thus may fall into the trap of outdated documentation, false advice and outdated links, unfortunately.
  3. Nextcloud being a prospering FOSS project by “hard work and enthusiasm of thousands of people” can become a sustainable success by always seeking to improve where reasonable, I presume.

My standing concern as well as my recent reply to your “Don’t expect too much?” was not intended to question your expertise or the expertise of Nextcloud GmbH or others. IMHO there is no need to defend anything and this is a free world. However, a real world with real challenges and with utter facts like good ambitions paired with too many requests and too few resources or else mishaps. Marketing may advertise the some job but generally shall not define the job to devs or the business as a whole, I presume.


No offence and please let me ask you again freely and openly:

Would you call my a.m. concern unreasonable and a solution being not feasible by the web admin responsible in handling the many Nextcloud GmbH advertising and marketing online pages?

I guess you wouldn’t…
:nerd_face:


@daniel512 – Hi good proposal and did you establish an issue?

IMHO this good idea may be misleading, unfortunately. Please note your proposal is not new to me and the last time I was not alone in the assumption that the issue cannot be placed as was expected. Furthermore, you may learn of my CC to a marketing person of the Nextcloud GmbH in the beginning of this thread. Please take the effort and read my thread as a whole, if I may.

AFAIK the a.m. page is outside the context of this repo due to:

Please not again blaming me and shooting the messenger, if I may.


I admit my growing impression of preaching into the wind and a growing feeling of becoming a little lost here.
:roll_eyes:

Facta non verba.
:face_with_monocle:

Happy hacking.
:sunflower:

Afaik the best place to report issues with scan.nextcloud.com is https://github.com/nextcloud/nextcloud.com/issues. Probably they are prefixed with scan.nextcloud.com: https://github.com/nextcloud/nextcloud.com/issues?utf8=✓&q=is%3Aissue+scan.nextcloud.com.

1 Like