Hi, I am new to here and a beginner in server securing and docker using, I had to install NCP via docker on Raspberry Pi OS (Debian 11 Bullseye) because NextCloudPi_RPi_10-08-21 is too old for my Raspberry Pi 4 hardware (it won’t boot). Before I make my home cloud available from internet I want to be sure it is secure.
docker-NCP doesn’t include fail2ban - is this nextcloud tutorial applicable and sufficient?
How did you flash the ncp image? Seems odd that the main platform this image was developed for isn’t working.
As for securing docker, you can always patch into a docker container using docker exec -it nextcloudpi bash nextcloudpi being replaced with whatever the container image is called. When in there you can operate like any other image.
Another way to do this is to use docker-compose to make a “stack” and set anything else you need up that way. If services are in the same docker-compose file then they will share a docker network that is isolated from the rest of the host, where containers can connect to eachother using their container names as hostnames.
If you are running docker I would suggest to use linuxserver.io’s SWAG container OR nginx proxy manager. Nginx Proxy Manager comes with a sweet web interface to manage services and SSL, swag is more of a harder to setup but set & forget thing. They can both handle the firewall aspect of securing your server.
As for fail2ban trough docker I’m not sure, however, I do know that DietPi has this in their software install script - might be wirth looking into instead of raspberry pi OS.
Regarding the flashing ncp image - i tried both the “dd …” and pi imager methods, I have also tried the Ubuntu Appliance distro which is also based on Debian 10, it stops booting with some error like
Out the box you cannot connect from the outside world to the running webservers on ports 80 and 443 below. To allow entry to the sandbox from the outside world we must explicitly allow entry using the -p flag. (Docker Containers: 101 - LinuxServer.io)
That’s nice, so I believe nothing extra have to be done for the docker, just use UFW for Raspbian OS, because docker would open only the specified ports (80, 443, 4443).
I have not tried the curl. Actually I think I’m close to understand the docker usage and it seems surprisingly easy and useful and I’m saying that as an average linux user.
This setup seems to work for me. Follow the nextcloud tutorial for “jail” and “filter” files creation, moreover add a line banaction = docker-action to the “jail” file and finally create a file /etc/fail2ban/action.d/docker-action.conf where, according to this post, should be something like this:
Restart fail2ban service and that’s it, I am not sure if this is a correct setup but I have tested it and after failed login attempts, an IP is successfully blocked.