Protect Nextcloud using Anubis

Albirew · May 4, 2025, 12:55pm

I’d like to use Anubis to protect my instance from AI-powered plunder bots (and in a boader way mitigate DDoS), but putting it as-is will certainly break API calls from clients (since they cant/won’t execute js).

Fortunately, I can whitelist both URL and/or useragents using regex in Anubis botPolicy.json.

Here some example configuration:

    {
      "name": "robots-txt",
      "path_regex": "^/robots.txt$",
      "action": "ALLOW"
    },
    {
      "name": "internal-traffic",
      "remote_addresses": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
      "action": "ALLOW"
    },
    {
      "name": "generic-browser",
      "user_agent_regex": "Mozilla|Opera",
      "action": "CHALLENGE"
    }

Now, if i want to protect my NextCloud instance, what do you think would be the best?

Allowing .well-known and API URL?
- is there documentation for API endpoints?
Allowing specific useragents (NxC and apps windows and android clients)
- is there documentation for any and all clients useragents?

disclaimer : Anubis is not an all-powerful protection, and allowing specific url/useragent is like putting a big hole in it, BUT, it’s still better than getting DDoS by some ~~moron~~ botnet and waiting for them to calm down.

bb77 · May 4, 2025, 3:59pm

I’d say that’s probably a non-issue with Nextcloud. I mean, since most of Nextcloud’s content is behind authentication, there’s not much for the plunder bots to crawl, so I’d say the load it would cause if they tried is negligible.

As far as general protection against bots is concerned, I’d say Fail2Ban is totally sufficient for a personal instance, as it is rather unlikely that someone will launch an actual DDOS attack against your server. If you want more preventive protection, you may want to take a look at CrowdSec.

Otherwise, the solution would be reverse proxy with web application firewall, with commercial filer lists, which costs money, or a CDN like Cloudflare. The latter is free for home users, but comes with its own challenges, and Cloudflare can read your traffic.

wwe · May 4, 2025, 4:34pm

fully agree. as SOHO you can’t protect yourself against real targeted DoS attack (just because it’s easy to saturate a pipe of the common home or small company) - only some powerful infrastructure in front of your installation can do this and fail2ban or crowdsec should suffice for normal crawler bots.

If you use another product look at crowdsecs Nextcloud whitelist which is not complete but already good jump start.

gdt · June 8, 2025, 11:11am

I think it’s entirely reasonable to want to run anubis on a web server which serves nextcloud and other things, and also just for nextcloud. The AI bots are getting worse and worse. The actual link bandwidth is for many much less of a concern than CPU time to respond.

What I’ve found is that two approaches are helpful:

allow user-agents that match the nextcloud desktop and phone clients
similarly allow caldav/cardav user-agents
allow access to API-like paths

This leaves the nextcloud login page still protected, which prevents php from having to generate the page and should prevent a spurious /tmp/sess_[bighex].