How to maintain, check and improve the security of your Nextcloud installation?

Welcome to the Wiki. you are welcome to improve and extend this post :heart:

You Nextcloud likely contains work and data you don’t want others can access to. There is not absolute security but you can follow some general measures to verify if you system is secure enough and doesn’t offer easy target to bad actors.

update your system frequently

the most important security measure is frequent updating. Often update include bug fixes and close security holes existed in previous versions. At the time of writing HackerOne - a portal for “white hat hackers” to responsibly reports bugs states Nextcloud received 153 reports and paid over 8k paid within last 90 days!! Only new versions include this bug fixes!

While some admins prefer to update to new major version only once it stabilized a little everybody should install minor versions very fast (within days). Usually minor version update is very fast and doesn’t result in headache. Major version often require more work as they introduce new features but you definitely must keep running a supported major version. In general Nextcloud maintains every major version about year after release. Consult Maintenance-and-Release-Schedule for details regarding release dates and support time frame of your system.

Good information sources regarding known security issues are

configure built-in security tools

Nextcloud has multiple integrated security tools which help you to protect the system

password policy

visit https://<my.domain.tld>/settings/admin/securityand adjust according to your needs.

common sense regarding password “complexity” using special characters, numbers and password history changed shortly and last recommendations tend to recommend “long password user can remember for long time” against “nonsence combinations of random character changed every few days”

  • enforce password length of at least 8 character (more is better).
  • enable check against
  • lock user after some bad login attempts

bruteforce settings app

If triggered, brute force protection makes requests coming from an IP on a bruteforce protected controller with the same API slower for a 24 hour period.

this can help you against automated password probing attacks

Suspicious Login app

Detect and warn about suspicious IPs logging into Nextcloud

in my instance I don’t see many suspcious login’s but here and there it could add visibility to less visible threats maybe…

use Multi-factor authentication (MFA/2FA)

this technology often referred as MFA or 2FA strengthen the user authentication process by requiring additional and different verification step to the login procedure. While identity theft is easy when user account is protected by user/password combo only this becomes much much harder if the thief need to steal your mobile phone running Authenticator app or a hardware token used for Webauthn

Nextcloud security scanner

this scanner will check if your system runs supported version and some other basic security measures

unfortunately the scanner has a bad habit of caching scan results - don’t forget to review scan date - if the result is dated: hit “trigger re-scan” and wait until the scan finishes.

TLS security scan

next measure is to verify your TLS settings are good, one of the most known

review security headers

you are pretty good so far but you can do little more and verify your client-side browser protection is up-to-date using