I’ve noticed that the Nextcloud security scan runs successfully and gives me a score. However, the last time the scan was updated was 2020-07-02 15:57:11. When I try and re-trigger a security scan, there are no errors and while there’s no glaring issues, there’s also nothing that signals a successful rescan.
Is there anything further that I need to do to get Nextcloud Security Scan to rescan my instance? I am doing a combination of dns blocking and GeoIP blocking, but that was in place for months before the security scan stopped updating its result. All the same, I noticed there aren’t any IP ranges available to whitelist or really any information on the nature of the security scan itself.
How would I get more information on what I can do to get the security scan to refresh its result for my instance?
Yes. Consider that I’ve likely clicked every button that exists on that page in every sensible combination several times in conjunction with refreshing the page after some time since July (last successful scan).
Further, I’ve inspected the dev console and network requests occurring and after clicking trigger rescan, and it appears that the scan is not done client side (as expected), but rather server side. Since I have no visibility into how this scan is run, I’m here to gather more information
That’s a good thought! However, I don’t use fail2ban unfortunately.
What I do use is pfBlockerNG with GeoIP blocking with as few regions unblocked as is possible for my use. One important note: This GeoIP blocking has been active before I ever stood up my Nextcloud instance so, that also means that it has been active throughout the full duration of successful security scans. While I’d prefer to have a specific IP or IP address range to whitelist temporarily, I would also consider unblocking a geographic region temporarily. Of course first, I’d need to know what region to unblock. I’m certainly not going to turn GeoIP blocking off entirely, as that introduces more risk than I’m comfortable with.
It’d be nice if there were more information on how to successfully receive a security scan from this service.
This could be as simple as:
Use and document/publicize a dedicated IP or IP range to scan instances from which users can whitelist, even if temporarily for the duration of the scan
If users may need to make any adjustments to their instances e.g. fail2ban, brute force, or other security modules that are commonly recommended or referenced in the Nextcloud administration guide, document them.
List any other general information that would help ensure a successful scan.
I feel as though this is a REALLY important “feature”. If Nextcloud is pitching to people and businesses alike that using Nextcloud is a secure alternative to popular cloud providers, then offering tools like this security scanner and ensuring users are able to use it successfully is their automated way to say “see?” or “yes, you are indeed configured properly to the best of our knowledge”.
I’ve found that if it doesn’t just “work out of the box”, there are limited to no resources available to troubleshoot further.
I had the same issue. I geoblock and only allow from a couple of countries (including Germany). I used to be able to perform the security scan just fine, but it stopped working somewhere last year. Disabled geoip and that it worked (indeed with 95.217.53.149). Although whois.ip shows this from Germany, apparently my geo-block did not recognise that correctly. Will allow explicitely from this IP address as well then.
Thank you all for your help. I put a rule in place which can be toggled easily to allow through the scanner’s IP address. It appears it was really just that simple!
Thanks to others for adding additional context as well!
Follow up: Does anyone know if the Nextcloud security scanner web page’s repo is available for contributions? I’d like to add some of this information as context if possible.
I had the same problem, in that my GeoIP blocking prevented the scan. Thanks to this thread I was able to temporarily turn off the blocking for the scan.
However: It would then be helpful if the scan results were to show an unsuccessful scan on account of the scanner not being able to reach the site. Not showing any update whatsoever is not helpful.
