NextCloud, a security analysis


I am not sure this is the right place for this, but I wrote a little analysis-guide on NextCloud security.

My goal is to help educate people on the importance of this and give some pointers for people to configure their systems, as well as to get feedback on how to improve NextCloudPi.

I would really appreciate any suggestions or corrections for this post from the developers. If you think there is something important that should be there, please let me know

Thank you

1 Like

Thanks for sharing your input on security. Could be interesting for an FAQ article, what do others think? @JasonBayton @jospoortvliet @LukasReschke


There is more to it than Let’s Encrypt, having Nextcloud up to date and properly configuring Nginx/Apache. What about securing Redis? What about firewalls? Open ports? SSH configuration? Kind of pointless to run something as super secured as Nextcloud on an otherwise unsecured system.

It is a nice article and I shared it a bit but more of an overview of what is there than really a FAQ if you ask me.

  • Redis is not (yet) part of NextcloudPi and the security analysis. Would be nice to hear about possible security vulnerabilities using it, didn’t hear about anything like that yet.
  • ModSecurity is used as firewall, in most cases the router in the front additionally.
  • As for most router you need to explizit open/forward the used ports, I think it is not a too important topic. Using the Pi itself as router, I guess the preconfigured ModSecurity will only allow 80/443 at first?
  • Secure SSH configuration is totally missing, that’s true! Using key authentication instead of user/pw, changing the external SSH port, if external SSH access is indeed wanted and perhaps tunneling stuff like xrdp/x-server etc. all through SSH (if one really want/need that…) would be good additions. I wrote some sentences about that here: What should I do to improve NextCloud security? [Details inside]
1 Like

So this is about NextCloudPi only? To me it looked more like “Nextcloud in general and especially NextCloudPi”.

Also, never understood how changing the SSH standard port is supposed to increase security.

1 Like

It is about nextcloud in general, but it shows some topics on NextcloudPi as example.

Following the links in the article i.e. ModSecurity is explained in detail including basics about firewall behaviour. So the topic “firewalls” is there, what you were asking for in your first post ;).

As I explained in the other topic given in the link, brute force attacks usually try on the standard ports and therefore also port 22 für SSH. Changing that port brought the number of SSH brute force attacks on my server to zero! Of course if somebody really wants to hack you and tries on all different ports, this will not help or just delay. But I guess no system is 100% secure against selective hack attacks…

Thing is those “bruteforce” attacks try the most common usernames (admin) and passwords (123456). If you are intelligent enough to change your port from 22 to something else then you are probably also intelligent enough to not use simple passwords and then you don’t need to change your port anyway :slight_smile:

Yeah, or use key authentication together with passphrase. It is never a
bad idea to make EVERY layer as secure as possible, so change SSH port,
switch to key authentication AND use strong password for the key ;). In
my case I simply don’t like to see regularly bruteforce attempts in
fail2ban log, even if the chance that they success converges to zero.

thanks for the feedback

I thought SSH was a bit out of scope, because it is not specifically linked to NextCloud.

NextCloudPi includes brute force protection for SSH with fail2ban.