How to secure NCP + docker?

Hi, I am new to here and a beginner in server securing and docker using, I had to install NCP via docker on Raspberry Pi OS (Debian 11 Bullseye) because NextCloudPi_RPi_10-08-21 is too old for my Raspberry Pi 4 hardware (it won’t boot). Before I make my home cloud available from internet I want to be sure it is secure.

  1. docker-NCP doesn’t include fail2ban - is this nextcloud tutorial applicable and sufficient?
  2. how to setup firewall? unfortunatelly docker ignores ufw
  3. any other steps are needed for securing docker-NCP version in comparison with standard-NCP?

Hoi,

First off, welcome to the nextcloud forum c:

How did you flash the ncp image? Seems odd that the main platform this image was developed for isn’t working.

As for securing docker, you can always patch into a docker container using
docker exec -it nextcloudpi bash nextcloudpi being replaced with whatever the container image is called. When in there you can operate like any other image.

Another way to do this is to use docker-compose to make a “stack” and set anything else you need up that way. If services are in the same docker-compose file then they will share a docker network that is isolated from the rest of the host, where containers can connect to eachother using their container names as hostnames.

I would suggest checking out linuxserver.io’s guides on docker to get familiar with how to use docker. You can find it here: https://docs.linuxserver.io/general/containers-101

If you are running docker I would suggest to use linuxserver.io’s SWAG container OR nginx proxy manager. Nginx Proxy Manager comes with a sweet web interface to manage services and SSL, swag is more of a harder to setup but set & forget thing. They can both handle the firewall aspect of securing your server.

As for fail2ban trough docker I’m not sure, however, I do know that DietPi has this in their software install script - might be wirth looking into instead of raspberry pi OS.

Cheers

Thanks for reply, I’ll try to study the links.

Regarding the flashing ncp image - i tried both the “dd …” and pi imager methods, I have also tried the Ubuntu Appliance distro which is also based on Debian 10, it stops booting with some error like

“This board requires newer software”

Regarding the firewall

Out the box you cannot connect from the outside world to the running webservers on ports 80 and 443 below. To allow entry to the sandbox from the outside world we must explicitly allow entry using the -p flag. (https://docs.linuxserver.io/general/containers-101)

That’s nice, so I believe nothing extra have to be done for the docker, just use UFW for Raspbian OS, because docker would open only the specified ports (80, 443, 4443).

docker run -d -p 4443:4443 -p 443:443 -p 80:80 -v /path/to/ncdata:/data --name nextcloudpi ownyourbits/nextcloudpi DOMAIN

Not docker related. But have you tried the curl command to install ncp yet?
Had no issues with that a month ago. Didn’t try the image :frowning:

I have not tried the curl. Actually I think I’m close to understand the docker usage and it seems surprisingly easy and useful and I’m saying that as an average linux user.

The reamaining fail2ban setup will be something like in this tutorial for wordpress & docker.

Fail2ban & docker

This setup seems to work for me. Follow the nextcloud tutorial for “jail” and “filter” files creation, moreover add a line banaction = docker-action to the “jail” file and finally create a file /etc/fail2ban/action.d/docker-action.conf where, according to this post, should be something like this:

[Definition]
actioncheck = iptables -n -L FORWARD | grep -q 'DOCKER-USER[ \t]'
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP

Restart fail2ban service and that’s it, I am not sure if this is a correct setup but I have tested it and after failed login attempts, an IP is successfully blocked.