How secure is my install over HTTPS on 443?

ℹ️ Support
1

Hey all

Looking for some advice please?

I have my installation running over https port 443 with the security and hardening enabled using letsencrypt certs. How safe is this? In the logs i noticed two lines saying two random ip’s had attempted connection. When I googled them it was shadowproject bot.

This led me to start thinking. Will my data be safe? Only 443 is open on my router infront of this server.

Also is there a way to autoban failed user logins after a certain period/amount of attempts?

Please accept my apologies if these have been asked before. Im just concerned before I add more data.

Look forward to hearing your replies.

Many thanks

Andrew

2

If you’ve followed the hardening tips for your SSL certificates (and there’s another config generator you could check out: https://mozilla.github.io/server-side-tls/ssl-config-generator/) you should be absolutely fine.

People are going to attempt to login to your server, it’s inevitible as it’s a public-facing solution. You’d cringe at my SSH auth log :slight_smile:

Is your data folder in the default location? If you want to be super secure keeping it somewhere else would be as good as it gets.

1 Like
3

Security is a continuous process. Unfortunately there is no checklist you can go through and then your server is secure.

Regarding your SSL settings, you can check your SSL configuration if it is properly installed and if it uses secure ciphers -> ssllabs.com

Nextcloud 10 has some login protection, fail2ban does this on a network level (less load on the webserver).

Check your logfiles regularly (tools like logcheck can help you) and keep your system (and Nextcloud) updated. For anything else you can just look for general guides how to secure your Linux system and webserver.

4

Hey thanks for your help guys :slight_smile:
I just ran a test on the ssllabs.com and got A+ which sounds healthy.

Fail2ban Ive never used except with ssh, is there much configuration to do for nextcloud logins?

I spotted a forum post for owncloud 8 and 9 using regex for fail2ban also from your post above:

Is there any configuration required on our part to configure this or is it out the box?

Appreciate your help guys.

Many thanks

Andrew

5

I think so but I’m not sure. Anyway it is recommended to test such features if they work like they should.

For the fail2ban expressions, I would take the newest you can find. You perhaps need to modify it. OC 9.1 and NC 10 are probably very similar (also OC 9.0 and NC 10).

6

Hi Andrew,

As far as I know, you need to configure fail2ban for nextcloud manually. But this is very easy.

Create a file
/etc/fail2ban/filter.d/nextcloud.conf

and write into the file:

[Definition]
failregex = ^...
            ^...

followed by various regular expression after the = sign. You can enter many lines of different regular expression. Have a look at /etc/fail2ban/filter.d/sshd.conf to see how it can look.
However, as an example, how I wrote my nextcloud.conf, but this is specific for me and my use of syslog:

[Definition]
failregex = ^.* nextcloud .* Login failed.*Remote IP: \'<HOST>\'.*$

After you saved that file, go to
/etc/fail2ban/jail.local

and search for “JAILS”. Below that enter:

#
# Nextcloud
#
[nextcloud]
enabled = true
filter = nextcloud
banaction = iptables-allports
protocol = all
port = anyport
logpath = /var/log/syslog

change the logpath to your match your server’s logfile for nextcloud. Could be
/var/ncdata/nextcloud.log
as well.

You can either restart fail2ban or use the force-reload switch of service, to reload the configuration for fail2ban.
service fail2ban force-reload

Let me know, if you need additional help with the configuration or the regex.

Best regards,
Schmu

2 Likes