Security on Nextcloud

Hello everybody !

About having an home server, is it necessary activate the 2 authentication factors and server-side encryption ?

Except the two things before and use https protocol, what else is important to activate for having a safe home server ?

There is not this one option that makes your server safe.

Server-side encryption is designed for external storage, if the data is on the same server, there is little advantage and you add a lot of complexity (there are more issues, backup/restore gets more complicated, …).

2 factor authentication is nice, I would try to apply such things to other server access methods as well, e.g. for SSH you can use certificates. For services, I’d try to give only permissions they require for the service itself and not more. So if you run other services, that they cannot access Nextcloud data/config and vice versa. And also run only services you really need, everything else is just an additional exposure for an attacker…

I’d take a look in monitoring, already the logfiles, if there are errors, strange activities, they can be a hint that something is wrong, e.g. if you can monitor traffic, also keep an eye on it.

Keep your software updated. Since your are probably no target, nobody will use a lot of resources to hack you. But if you don’t keep your system updated, and you use wide-spread software like Nextcloud, in case some security bugs are known, people will try to scan and hack random setups that didn’t install their security fixes in time.

1 Like

look at this article: How to maintain, check and improve the security of your Nextcloud installation?

1 Like

Ok. Thank you :man_bowing:
2 factor authentication.
Monitor the traffic and logfiles.
When you mentioned the SSH and certificates you was referring to use the HTTPS protocol ? Because about that is possible use Nginx Proxy Manager and connect to a domain like for example:

What did you mean with services ?

Are the stable versions of Nextcloud enough in order to keep Nextcloud safely updated ?

Thank you :man_bowing:

No if you connect to your server via ssh (via terminal, putty).

E.g. don’t expose your db connection to outside, don’t have a DNS server/mail server / … installed if you don’t use it. Check your open ports from outside, and if you are not using a certain port, disable the software running behind this port.

From Nextcloud side the best you can do is follow the stable releases, and install the point releases every month or so.

For that, I find easy for me CasaOS

Thank you again for all :man_bowing:

I think you achieve the greatest security if you understand the system and the applications. The less you understand about the system and the applications, the less you can effectively protect it yourself.

If you host an application like Nextcloud at home that is accessible via the internet and you don’t care much about it, it may be that a managed Nextcloud on the internet would be far more secure.

1 Like

That looks nice, their focus is on easy setup. Not sure if you heard about BSD, there are 3 major players, FreeBSD, OpenBSD and NetBSD, roughly speaking one focuses on performance, the other on security and the third on maximum compatibility for hardware. If you want to have maximum compatibility for hardware, you need to keep a lot of drivers, perhaps not always the newest ones and not the best reviewed security-wise, but that is stuff you don’t want to use if you are concerned about security (e.g. on a mailserver, firewall, …) but it is great if you want to run your home-automation in a local network.

So easy setup, it might prepare for a lot of different usage and the configuration might not be the most secure possible (because in such a case, every time you add something to use, you might alter some configuration). It does not mean it has to be inherently unsafe, or you cannot improve things.

In your place, I’d check a bit with the CasaOS system, to get familiar with it, what you can do to secure it. If it is based on a different OS, their guidelines/tutorials might give hints as well.

Thank you :man_bowing:

Thank you :man_bowing:
Didn’t know about those.
Can you eventually suggest me, maybe on Coursera or Udemy, a general cloud course for beginners ?

I would have linked some more resources. I just look specifically for topics, but it would be great to have a good reference where you can continue to read. There are certainly a few books, but I never used a specific one I could recommend. sorry.

Don’t worry. Thank you the same :man_bowing:

Just to make it clear for me, you want to know how to protect your system / nextcloud the best way?
I this ist the question than I must say its a difficult question. There are a few Things that prefent you, but a 100% Safe system / Applikation doesn’t exist.

  1. Keep your os Up to Date
  2. Update all applications to latest version
  3. Passwords (Special for Admin accs) shouldn’t bei easy to get, so use Password Generators and programms like keepass to Store them
  4. For Admin accs, i prefere 2FA, so it’s Not so easy to get Access, If there is a Bug in the Software
  5. Make Backups of the system (cause of Somebody hacked you, you have a Fallback)
  6. Monitor the Access / Traffic of all applications, which are able to communicate via www
  7. Use a Firewall and Block all not needed Ports, also outgoing Ports are important, cause of Reverse Attack
  8. Learn about your os, otherwise everything is useless you try. Tutorials are nice, but If you don’t know what happes there, you can Control or manage the system after Installation.

Some Things from my Side. I have a Cloud and other Services available in www. I don’t use Server encryption active in nextcloud, cause i Run in Trouble with this feature and I’m Not able to read / Access Data folder of nc!
Security ist Not Something you can learn in one day. There a several Things you need to know and learn. Best way is to start with hackthebox or tryhackme. There you learn common Hack techniques.

But I am missing the database encryption itself.
I found a description if the encryption of MySQL but not for PostGres.

you can provide individual DB driver options as described in the dbdriveroptions… but IMHO majority of private and small-business installations will not gain any advantage from encrypting DB connection…

1 Like

well, it is for external storage (on a third-party system).

If you have sensitive data, I would use a encryption container (like Veracrypt) or other client-side encryption as an additional layer.