Security in Nextcloud: how to block 99.9% of user account attacks

Originally published at: https://nextcloud.com/blog/security-in-nextcloud-how-to-block-99-9-of-attacks/

If tech sites would write about every individual data leak, they’d have no time to cover anything else. Generally, only email-and-password leaks numbered in the millions get covered. LinkedIn: 164 million. Adobe: 38 million. MySpace: 359 million. Facebook: 200 to 600 million.

It should be painfully clear that you can’t count on large tech companies to secure data sufficiently. The more important point here is, however, that passwords do not offer sufficient security. Most experts agree that it is time for a radical change. But how? A few solutions exist.

just a pretty picture1500×300

Password managers and single sign-on

703×278

Password Policy settings in Nextcloud

There are dozens of websites like Have I Been Pwned who inform users about theft of their accounts – Nextcloud uses this service to block users picking a leaked combination of username and passwords. The problem here is, of course, that users tend to re-use passwords across services. Password managers offer a solution to this, automatically generating a secure password for each site a user uses. While that does create a single location which could be hacked, there have been no known, large password manager leaks yet.

Another solution is single sign-on. Users can log into various services using their Google or Facebook account. The advantage is, indeed, that you only need to remember one password. The downside is, of course, that these companies gain incredible power and know everything the user does. The vendor-lock-in is severe. Users who wanted to cancel Facebook accounts due to the continuing stream of security, privacy and ethical violations discovered they would lose attached accounts. For example, a Spotify account, with all favorite music and playlists, would disappear as well.

The best solution: second-factor authentication

A far better solution is second-factor authentication (2fa). This essentially means that rather than logging in with a single method of identity verification, like knowledge of a password, a service will ask for a second verification factor. For example, a code the user receives in a SMS or from an app. This would prove that not only does the user know the password, he/she also has his or her phone on them. An attacker would of course have a much harder time getting their hands on both.

Is this more secure? You bet it is. While SMS itself is not the most secure method, Microsoft has estimated that 99.9% of all attacks on Hotmail and Outlook accounts is blocked by 2fa.

So why does not everybody use a second factor like an SMS to secure logging in? There is a variety of reasons for this. With regards to SMS as second factor, users are worried about the privacy implications. They are not comfortable handing over their phone number to a service, and those worries are not unjustified. Last year, it turned out that Facebook was using the phone numbers users gave for second-factor authentication for advertisement.

But there are other issues. Two-factor authentication via SMS is relatively easy, but other factors, like TOTP, which requires users to install an app, scan a qr code on the screen and then manually enter codes, are far more complicated. Or expensive – while hardware keys are easy to use and very secure, the prices are typically over 50 euro for a key.

2FA in Nextcloud: flexible and easy

So 2FA is a great solution, but it tends to complicate things. How does Nextcloud deal with this dilemma?

Our security team always works with two simple but important assumptions: if it is difficult to use, it is less secure. And not all users are the same!

We therefore designed a number of second factors and allow administrators and users to enable and use any number of them. Currently, the following are supported and we’ll explain each of them quickly:

Matrix style picture of hacker behind code1200×1685

• Time-based One-Time Password (TOTP, including Google Authenticator or similar apps)
• Universal 2nd Factor hardware tokens (U2F, like Yubikeys or Nitrokeys, also supports NFC)
• Gateways: SMS, secure messaging apps Telegram, Signal and more
• Code in an email
• Notification (just click to approve login on an existing device like phone)
• User backup code (User has to generate these in advance and store them in a safe location)
• Administrator backup code (creating those can be delegated to group admins)

Now, as you can imagine, each of these methods has its downsides and benefits. SMS are quite easy – if you have set it up as administrator and if you trust the telephone network. Signal and Telegram are nice as well, but it is hard to guarantee that all users have these chat apps!

TOTP has many apps available and can be used on many devices but is more complicated, U2F is very secure but expensive. Receiving a code in an email is a familiar method but emails can be intercepted. Notifications are supremely easy to use and secure. That last option should not be missing on Nextcloud installations!

Backup codes are a great way to ensure users don’t get stuck without being able to log in.

Let’s dive deeper into all these methods so you know what their benefits and downsides are, and which you should consider enabling on your Nextcloud server.

(Time-based) One-Time Password

This ‘factor’ is a device-generated code. This code can be used to log in, usually only once. An OTP code can have an expiration date, though often they are quite long. The user has to enter them to log in.

The popular time-based variant changes the code frequently – the most used TOTP standard generates 6 digits every 30 seconds. There are hardware tokens which have a simple display showing the codes. On mobile phones, various apps for implement this standard, from the Google Authenticator app to various free and paid alternatives.

To set up TOTP, users have to give the TOTP device a long code to initiate the connection, in many cases this can be done by scanning a QR code to avoid having to type anything.

During use, a TOTP device does not need to communicate with the service being used, it does not even need to know anything about it. This thus works without connection or on a local, firewalled network.

A downside of TOTP is that it is vulnerable to various forms of man-in-the-middle attacks. A hacker can set up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters their information, the hacker gains access to their account. This attack is not easy to pull off: users have to visit the site of the attacker and mistake it for their usual website.

When enabled by the admin, users can set up TOTP in their security settings:

network cable with condom around it and laptop728×485

Universal 2nd Factor hardware tokens

U2F is a bit similar to OTP, in that a device generates a code. But, unlike OTP, users don’t have to enter it. The process has to be handled by the client, for example a browser, or an application, directly. A U2F device thus has to be connected physically. USB or NFC are the most typically used methods for this.

The service will communicate with the U2F device, using a public key encryption and a challenge-response model, which makes it impossible to ‘attack’ using the man-in-the-middle attack that (T)OTP is vulnerable to.

The downside is the need of support for the devices. Browsers and apps all have to work with this and connecting a phone to a computer via USB or NFC, or connecting a hardware U2F key to a phone can be difficult in some situations.

U2F can also be setup by users in their security settings:

Gateways: SMS, secure messaging apps Telegram, Signal and more

Many users are probably familiar with receiving a code through SMS and entering it into a website login portal. Nextcloud supports connecting to such a ‘SMS gateway’, and can also use Telegram and Signal through this system. While it is not extremely hard to intercept an SMS, Telegram and Signal messages are quite secure. Unfortunately, not many users have these apps installed, so they are not suitable as general solutions for all users.

Another issue is that it takes some work from the system administrator to set up and configure these methods. You can find documentation here.

Code in an email

The fourth method is also rather familiar to users: receiving a code in their email. While email, too, is relatively easy to intercept, this nonetheless makes logging in a lot more secure and it is easy to set up and use.

dialog asking to accept code on another device1080×1920

Notification

Probably the easiest way for users to log into their Nextcloud is through a notification on an existing device or session. Nextcloud will simply create a notification, allowing the user to click ‘approve’ or ‘deny’. This works from a browser session, mobile phone and desktop client and requires no configuration on the side of the user.

User backup code

In the user security settings, a option for creating backup codes is given. This allows the user to generate a series of codes and store them in a secure location. Each of these codes can be used, once, as second factor to log into Nextcloud. If all other methods fail, this gives the user still access to their account…

Administrator backup code

In case all else fails, users can contact their system administrator. If enabled, the admin can create a one-time login code the user can use as second factor. To make it easy for companies to delegate this to personnel in a support team without giving them full administrator access, group admins also have the ability to create second-factor backup codes for their users.

Enable two-factor authentication

Recapping: second-factors are incredibly important to secure accounts. While they typically have some drawbacks, the wide range of options in Nextcloud, including the incredibly user friendly ‘notification’ option, make 2fa a must-have on Nextcloud. Enable it today and leave feedback on your experience below!

hand with code behind it2000×1200

Is it possible to change the login panel for normal user/password?. First input the “username” and after “enter” the “password” and then a second “enter”. So there could perhaps better features against hacking attacks (javascript function, cookies, … ???, …)

Two factor authentication is the preferred method. Works great for different methods (U2F, TOTP, Backup Codes)

Yes. But a lot of users do not use, like or need them.

Sorry this article and or its title is quite misleading. To block 99,9% of all attacks you need proper IDS/IPS Firewalls (e.g. Suricata) and Reverse Proxies in front of a Nextcloud Instance. As WAF you may use mod_security with own or the latest OWASP rulesets.

In addition to this you should use GeoIP filters. A Nextcloud Server of a dentist somewhere in Europe with only local audiences doesn’t need access from the USA, Africa oder somwhere from far east Asia. Last but not least you should enable bandwith limits. This is also managed either by your firewall or mod_ratelimit inside your Apache Webserver.

Yes, that is exactly what private users need for their raspberry pi based family clouds.

How would the 2FA affect connections over webdav/caldav? I remember that I had some issues after testing the 2FA for a while, so I disabled it. I used the notification method via NC Android app.

Ok, I tested it again… after enabling the 2FA I’m no longer able to connect via WebDav/CalDav (DAVx5 and other android apps).

On the other hand, what would happen if I logout from the nextcloud android app and the 2FA via notification would still be active? Would I need to login via Backup-Codes?

you have to create an app password for each service you can to connect to nextcloud.
You have to manage it in your user security panel.
Quite annoying but better for security.

This is how it works, as described in the user manual:
https://docs.nextcloud.com/server/18/user_manual/user_2fa.html
So when enabling 2FA you need to use device or application specific tokens.
Some applications also support single sign on, then a specific token is not needed, as I understand.
You can use DAVx5 without issue with 2FA enabled, with it’s own app token.

Using 2FA implies having backup codes, so yes they can be used for that. And as fallback, the administrator of the nextcloud instance can always manage 2FA state for a user, to help out.

There’s also an 2FA Admin Support app:
https://apps.nextcloud.com/apps/twofactor_admin

Ok, sounds good!

@mjanssens thank you for linking the manual! I’ll have to take look at it.

Apart from anything else don’t use an email address as a login ID. Use of an email address as ID is the starting point for using leaked passwords. If fred@example.com has password Myname_1sfred leaked from one site then that’s a pair to start guessing with on any other site that uses email address a ID on the basis that Fred only has one email address and uses it everywhere. If he is fredbloggs on one site, user385 on another and fb_001 on a third then knowing his password was Myname_1sfred on the first site is no help in trying to break into the others, even if he used the same password.

Unfortunately this is not mentioned in the article. Since many small and large companies also use Nextcloud, your argument is not valid. As a recommendation you should either clarify this or write the title less sensational. Wouldn’t be the first time when marketing and hip bloggers ruin an usually good product and brand with their bloomy promises. You are advertising a single item (2FA) as 99,9 % solution against attacks. That’s quite untrue and not representing the real life. Why do you do this?

2FA might stop 99.9% of attacks on Hotmail accounts, but I don’t think the same can be said for a self-hosted software stack like Nextcloud. There are several other vectors of attack beyond password guessing, so I think that would be giving a false sense of security.

Yes, it is a pretty sensational title

But I got your attention, didn’t I? And that is literally my job

I didn’t even cheat by putting sex in the title (which according to research works even better). Hey, a title needs to make people want to read the article.

The accuracy of it - well, depends on context - you can also quite easily claim that using port 23 for ssh blocks 99.9999% of all attacks on SSH - technically correct but not all breaches are, of course, caused by that same type of attack. So it’s both true and not, I suppose.

Anyhow. Let me update the title a bit and call it ‘user account attacks’. That’s probably a lot more accurate, and doesn’t discount that there are 10.000 other types of attacks on servers. And it is still clickbaity enough to upset a few pedantic people

But please understand - there are two things that make a project like Nextcloud successful. Doing interesting things is one. And the other is talking about it. If you don’t do one of those, you’ll just end up another irrelevant product and that is not what we want so yeah, we talk about it. And use most tricks in the book. Not all, we don’t pay google and facebook for ads, for example, but we do try to write, ehm, good (maybe clickbaity) titles to get attention for example. And we develop some features almost purely for PR reasons.

I totally get that some of you don’t like that, really. I don’t like sensational news or people who intentionally post outrageous stuff on twitter to get more followers. But the sad reality of the world is that it works and thus we can’t afford to not play the game if we want to be relevant. And I want MORE for Nextcloud to be relevant than that I want to be super realistic and be liked by everyone in tech all the time, sorry.

As another outrageous example I’m happy to discuss with tech people is how NextCLOUD is totally wrongly named and isn’t a cloud at all because a cloud is (blablabla). I’m happy to agree, it is 100% correct: Nextcloud is not SaaS, PaaS or IaaS. It is not a cloud in terms of AWS and OpenStack. But we still won’t rename it. And we don’t apologize for this name because IT WORKS, laypeople understand the name even if it irritates a few pedantic nerds. Sorry, not sorry. See, you can be right AND wrong at the same time

It is a re-wording of 20-month old articles about Google introducing hardware keys for their employees, like this for example

The attacks aren’t blocked but their success rate is…

I have created a comment with a smiley face. Please relax.

It is Friday and the sun is shining here. Have a nice weekend with or without 2FA

“Pedantic nerds”, is it now? When in doubt, go on the offensive and try to shame the users for calling BS. Superb.

And here we go again and start to discuss off-topic related to topic title.

Please stay on-topic and be nice to each other.

It was on topic. It seemed to me not a great idea to give “laypeople” the impression that their Nextcloud would be safe from 99.9% of attacks by implementing 2FA. Then we got a rather less than positive response…

There is no such thing as bad publicity…