Next cloud Security

JamesCRocks · September 20, 2025, 9:16am

Hi,

I’m considering ways to make my nextcloud installation available to my devices outside of my home… what can I do to protect my data and network against bots and other bad actors?

Thanks

James

tflidd · September 20, 2025, 9:52am

For Nextcloud itself, good passwords, 2FA, keep everything updated.

For the rest of the system, it is similar to web servers and other systems exposed to the internet (only run services needed, give these services just enough permission as they need, ssh with key authentication, updates, …).

And to protect you data, a good backup is required, and especially one that is not reachable/modifiable from a corrupted setup.

If you feel more comfortable with fail2ban or similar things, they can reduce the number of attempts, but they are also more software to fail and possibly do strange things.

wwe · September 20, 2025, 10:14am

good starting point is How to maintain, check and improve the security of your Nextcloud installation and other 101 articles

JamesCRocks · September 20, 2025, 11:19am

Thank you both for the replies

I backup all my important stuff weekly, including Nextcloud, but my passwords could be better, I’ll admit. My admin password is pretty good but my user one, not so much so I’ll change that. Not sure how I would do two-factor authorisation with a Nextcloud install.

James

Scoutingenieur · September 24, 2025, 12:40pm

Although I’m relatively new to this I managed to open up my Netcloud instance from outside my network. Although I do believe I did al the right things which I can offer here as starting point, I’m also aware I only know what I know and am open for further suggestions:
In my case:

NC runs a native app on my Truenas Scale server.
I have AdGuardHome with a DNS rewrite, and Nginx ProxyManager with a ProxyHost to reroute my cloud.mydomain.com to the right local IP and port, forcing HTTPS. No other (sub)domains are listed.
I have a SSL certificate on cloud.mydomain.com (and only this subdomain) also registered in NPM.
I have strong passwords enforced in NC, as well as 2FA setup requiring an authenticator (google, microsoft or similar)
Bruteforce protection is enabled
I have a geoblocker app enabled in NC which will block the login for anyone NOT in my allowed country. Me and the other users dont travel much outside the country. Any login attempt from other countries can access the server, can even attempt to login but will be blocked.
According to scan.nextcloud.com I have an A+ rating with this, so that leaves me feeling relatively secure.
And with all of that, the actual data resides not in Nextcloud, but on the Truenas shares. These are backed up weekly a connected external HDD which cant be accessed by Nextcloud directly. I also swap out the external HDD every month, storing the other drive at my parents.

jtr · September 24, 2025, 2:26pm

The official Admin Manual has an entire section on the topic. See the 2FA chapter.

devnull · September 25, 2025, 1:45pm

A strong password is of little use. Imagine you are using Windows internally on your LAN and your password is captured by a keylogger and sent to the attacker via the internet. Then, regardless of how complex your password was, they can log in to your Nextcloud. That is why you use 2FA. Although, I don’t use 2FA either.

LoVo · September 25, 2025, 2:10pm

Hi James,

install fail2ban !

Alberto_Quintero · September 25, 2025, 9:11pm

I solved it with Cloudflare tunnel via a domain this by the way gives me a lot of security my installation is through CasaOS and it was very easy, I have no engineering knowledge or anything like that and I achieved it

kadulin · September 26, 2025, 3:05am

I can share my solution.

I have everything set up via Docker.
I have a reverse proxy via Traefik, which also receives certificates, and then goes to NextCloud via HTTP.
I use Crowdsec for protection against attacks, bots, and other malicious requests, and I’ve added a log viewer for NextCloud requests.
2FA is enabled.
NextCloud seems to have some kind of brute-force protection… Plus, Crowdsec can block based on rules. Fail2Ban might be helpful, but I haven’t installed it yet.

JamesCRocks · September 26, 2025, 7:16am

Can that be downloaded as a PDF or some other downloadable format? I prefer to have local copies of anything important

James

wwe · September 26, 2025, 8:35am

why don’t you look yourself? it’s not really hidden https://docs.nextcloud.com/

the_dude_abides · September 27, 2025, 3:26pm

It’s very easy to set up 2fa. Go to apps, install “Two-Factor TOTP Provider.” You can then go to the admin panel > security and “Enforce two-factor authentication” if you want to force users to use it for added security.

Once the 2fa app is installed, go to “personal settings > security” and you can then enable TOTP for your account and set it up with whatever application you use for TOTP. I personally like OneAUTH by Zoho because you can upload your keys to the cloud and retrieve them on a new device if you ever need to.

Nextcloud also supports passwordless login. I have this setup through Bitwarden, it skips the password and asks for my TOTP key.

There is also the Nextcloud site checker that can do a basic scan on your Nextcloud domain to see how secure you have it setup. You can access it from the “overview” tab in admin settings.

The security scan site is https://scan.nextcloud.com

system · December 26, 2025, 3:26pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.