Is NextCloud Safe To Use Remotely?

Hello :smiley:

I setup a NextCloud jail on my FreeNAS server. I was to make a “Google Drive” like setup for my family. Before I started putting my data on there, I wanted to know how secure my data is and what steps do I need to take in order to confirm it is secure?

Thanks in advance!

Secure is a relative word right? Google drive has security weaknesses, as does DropBox and everthing else.

Nextcloud is likely “as secure” as those. If you have data that you cannot afford to lose or have compromised then you need to do several things:

  1. HAVE A BACKUP (nuff said - I won’t go into that any more here);

  2. Secure your Nextcloud installation:

A. Use HTTPS access only - letsencrypt gies you free certificates and you can force https: connections only;
B. Make sure your host machine is actually security hardened - no ports open that are not needed, firewall enabled, no weak SSH login servers etc. (google ‘server hardening’ for your system);
C. Enable server-side encryption (it provides a little extra protection - but not much);
D. Since it’s so easy to do: full-disk-encrypt your system drives;
E. ABSOLUTELY CONSIDER USING END TO END ENCRYPTION for your data. My personaly favorite is Cryptomator. Nexcloud has their own method but personally I find it a bit ‘weird’. There are others too;

Of all the above, END TO END encryption will protect your data (assuming you use a strong enough password - that’s over to you) more than anything else. You can leave end-to-end encrypted data on a thumbdrive with the CIA, and as long as you have a strong password, they will need a Quantum computer to crack it. It’s that good.

Of course, ETE encrpytion is great but comes at a user-convenience price tag.

For music and media, you likely don’t need it - but for personal documents (bank statements, letters, tax filings), you do - and the inconvenience is worth it for the peace of mind you get from it. You can easily configure Nextcloud to have some directories encrpyted and some not. Thht’s what I do.

Nextcloud is as secure as the commercial guys, but do the right things to make it work for you. :slight_smile:

Andrew

advantage: You are the only administrator.

Thank you for taking the time and providing me with all of this great info!

I’m less worried about the integrity of the files and more worried about someone using NextCloud to gain access to my network (The server with FreeNAS running NextCloud is in my apartment).

My NextCloud server isn’t going to hold anything sensitive. Mostly gameplay recordings that my friends and I share with each other (as Discord has the 100MB limit with Nitro, and 8MB without).

I am unsure how to setup the HTTPS but I’ll try finding a guide for that. ETE would be nice, but some people aren’t very technical and would have issues with that sadly. Since the server isn’t really storing any sensitive data, that might not be needed… Then again, it would be nice to know that no one can steal my videos :confused:

For HTTPS - look up ‘letsencrypt’ on the web. They make it VERY EASY.

Any server can be hacked. For me, it’s about layers of security - multiple ways of protecting your installation and data. Personally, I would not want to install Nextcloud on the root a real server so I install everything on LXD containers - precisely such that if it’s hacked, nothing beynd the Nextclould installation can be accessed (that itself is uncomfortable enough, even with end to end encrpytion).

You are right to be worried about security, but probably don’t lose sleep. There’s so much you can do to protect and obscure your installation, but I can’t cover it to any justice here. I still believe Nextcloud is safe for us home users, but definitely look into HTTPS. :slight_smile:

For your scenario a DMZ could be interesting, to separate the server from your local network (not to block but to limit access to it, some routers have quite a lot of options to do that).

Think of the security of your home, you can ask for a very solid door. If the windows remain open, or you have a dog that opens the door for everyone, this door is useless. It’s always about the whole concept and its weakest point. You already got a few starting points.

1 Like

For most home routers, I believe the DMZ option is not a true DMZ as most networking experts would define it. I would not use this option on a home rouer as it forwards basically all traffic to the host defined in the home routers DMZ. This could bring a lot of unwanted attention from internet hackers.

I think for home users (like myself and possibly the author of the original question), sticking with rigid port forwarding rules with a home router setup, to forward specific traffic to specific ports on a computer is a much better way of securing a home network. For those who can afford it, two IP addresses on completely different networks would be even better, thus giving you airgap grade seperation of the internet facing servers and home network hosts.

There is however no doubt that hackers are escalating their game to try to either ‘kidnap’ (encrypt) anyones data for a ransom and/or hijack hardware for cryptocoin currency mining, and it’s rapidly getting to the point where any exposed computer might become more of a liability than an asset. For that, sophisticated DMZ networking and a host of other security measues may be called for.

I suspect the home router itself will be the biggest issue for the rest of us - exploits for older devices are already out there, and router manufacturers usually only patch devices for a while then they expect you to buy a newer model…that requires all new patches thus repeating the cycle. it’s quote a gloomy outlook IMHO, driven by annoymous bitcoin-type currencies where hackers can stay anonymous and still keep their ill-gotten gains. But I digress enough. LOL.

I loved the example of a dog opening the door btw! :slight_smile:

To prevent dogs from opening the doors, I am considering the LXD option on a new installation. What should be the minimum and recommended system requirements for installing Nextcloud on a VPS instance? How should the memory and computing power be allocated between the LXD containers?

If the root user of the VPS instance is meant to safeguard Nextcloud, should Apache be installed in a LXD container? How could the LXD containers be structured in a way that is secure yet compatible with Nextcloud?

In my case, I plan to share pictures with at most a few users…

Congratulations to you for looking at LXD as a means of housing your Nextcloud instances. I think that decision alone helps protect your data from remote attacks. Anyone who jail-breaks an LXD container will need an exploit against LXD itself to get root access to a real machine. That’s not likely and certainly requires determination.

Depending upon how much tin foil you want, you can go to many measures to further protect (via obscurity at least) your data. I used LXD to run my Nextcloud instance which supported a small consulting business with global remote access. To the best of my knowledge, the installation performed flawlessly and as far as I could ever tell, without remote penetration.

The one thing I do that’s likely 90% different from many is that I also use Cryptomator to end-to-end encrypt my data, and it lets me sleep at night. Consider looking into it. If your users are operating ‘windows’ machines then they can use something called ‘Mountain Duck’ to seamlessly and if they want transparently access Cryptomator encrypted files on a remote e.g. Nextcloud instance. The integration for Linux is not so great but honestly you don’t need to be a linux expert to use the simple app they provide for that platform too (I use both Windows (for work) and Linux for personal). It doesn’t get much better than that for security (I find the Nextcloud end-to-end encryption implementation to be a bit too wierd for my liking).

If you want, you could indeed install Apache in one server, mysql in another, your Nextcloud instance in another and indeed your nextcloud data in yet another. Personally that was too much tin foil for me so I run all of those in the same container, but that’s a personal decision. The point is, you can do that (and if you do all that, run haproxy in yet another container to direct all your web services traffic - I do employ that service in one of my LXD containers since I run web servers as well as Nextcloud).

The huge advantage to running these services (especially Nextcloud) in a container is the simplicity of backups. You will read many posts on here about how to have redundant server backup capability. It is not easy if you want to retain all your customization/links/shares if you try to e.g. backup mysql and so forth. Many struggle with this (data backup is of course easy, but as you know, user data is one thing, but server-settings/profiles/accounts/personalization thereof is a time consuming task to reset). In LXD, I run this command once a night via cron:

lxc copy NC DATA:NC-backup --refresh --target-project backups

It refreshes (very fast) an entire LXC instance of Nextcloud to a remote server (at one time, this was half way around the world from each other, but I don’t need to do that now). If my live server goes down (update crash, loss of power, theft, fire or asteroid impact) I can spin up an EXACT replica with just minor router settings changes. And I mean exact. Just a different MAC ID and IP address. The former I care npothing about, the latter needs a router (or haproxy) setting change. Maybe three minutes of effort (from when I first notice it!). Boom - it all works. All my links, files, shares, apps, settings all my customization - everything is just as it was when I last refreshed (2AM or so as I recall :-)) It is just so reassuring. You can likely automate that too, but I don’t need 99.99+% up-time for my needs.

Once you try LXD, you likely won’t go back.

A word of caution: use the EXACT SAME names for your LXD data pools (I go for zfs) on local and remote servers. If you don’t, the backup copy might struggle. I have ssd-pool and hdd-pool names for my lxd zfs drives. I learend the hard way (ssd-pool, SSD-Pool, SSD-pool…) that they need to be exactly the same name for my system to work flawlessly, as it now does (touch wood!).

I am no expert, but if I can help out feel free to post or message.

Andrew