Next cloud Security

JamesCRocks · September 20, 2025, 9:16am

Hi,

I’m considering ways to make my nextcloud installation available to my devices outside of my home… what can I do to protect my data and network against bots and other bad actors?

Thanks

James

tflidd · September 20, 2025, 9:52am

For Nextcloud itself, good passwords, 2FA, keep everything updated.

For the rest of the system, it is similar to web servers and other systems exposed to the internet (only run services needed, give these services just enough permission as they need, ssh with key authentication, updates, …).

And to protect you data, a good backup is required, and especially one that is not reachable/modifiable from a corrupted setup.

If you feel more comfortable with fail2ban or similar things, they can reduce the number of attempts, but they are also more software to fail and possibly do strange things.

wwe · September 20, 2025, 10:14am

good starting point is How to maintain, check and improve the security of your Nextcloud installation and other 101 articles

JamesCRocks · September 20, 2025, 11:19am

Thank you both for the replies

I backup all my important stuff weekly, including Nextcloud, but my passwords could be better, I’ll admit. My admin password is pretty good but my user one, not so much so I’ll change that. Not sure how I would do two-factor authorisation with a Nextcloud install.

James

Scoutingenieur · September 24, 2025, 12:40pm

Although I’m relatively new to this I managed to open up my Netcloud instance from outside my network. Although I do believe I did al the right things which I can offer here as starting point, I’m also aware I only know what I know and am open for further suggestions:
In my case:

NC runs a native app on my Truenas Scale server.
I have AdGuardHome with a DNS rewrite, and Nginx ProxyManager with a ProxyHost to reroute my cloud.mydomain.com to the right local IP and port, forcing HTTPS. No other (sub)domains are listed.
I have a SSL certificate on cloud.mydomain.com (and only this subdomain) also registered in NPM.
I have strong passwords enforced in NC, as well as 2FA setup requiring an authenticator (google, microsoft or similar)
Bruteforce protection is enabled
I have a geoblocker app enabled in NC which will block the login for anyone NOT in my allowed country. Me and the other users dont travel much outside the country. Any login attempt from other countries can access the server, can even attempt to login but will be blocked.
According to scan.nextcloud.com I have an A+ rating with this, so that leaves me feeling relatively secure.
And with all of that, the actual data resides not in Nextcloud, but on the Truenas shares. These are backed up weekly a connected external HDD which cant be accessed by Nextcloud directly. I also swap out the external HDD every month, storing the other drive at my parents.

jtr · September 24, 2025, 2:26pm

The official Admin Manual has an entire section on the topic. See the 2FA chapter.