Two factor authentication for newby

Hi ,
I’m about to enable two-factor authentication on my server. It’s the first server I’ve built and the first time I’ve tried to enable this sort of feature. My question is, is one service easier to install for a new user such as myself? Is there a preferred app that people use or one to avoid?
Appreciate any insights,
U

First of all, you should think about why you want to install or install 2FA. Of course, it offers security advantages, especially for web applications, because even if the user name/password is disclosed to third parties, access is not possible without 2FA.

The simplest 2FA variant is probably TOTP. This is also implemented as standard with Nextcloud. If you have a smartphone, you can use TOTP generators such as Google Authenticator.

I would advise you to first set up a test user on your Nextcloud and use it to test 2FA. You should also consider beforehand how you can deactivate 2FA again without access via 2FA, e.g. for administrators. Perhaps it makes sense to create your own administrator without 2FA with a complicated password that you never use.

Using two-factor authentication — Nextcloud latest User Manual latest documentation

2 Likes

Thank you for your response. I guess I’m concerned about my server being compromised, even though it will be a very small group of family using it.

My other concern is do I use the server password storage and management system? If the server is compromised, does it mean they can access all my saved passwords, photos etc

I’ll set up a test user for the password authenticator. Is the Google one a good one to use?

Regards,
u

Yes, unless you use client-side encryption before uploading the data to your Nextcloud. Take a look at Nextcloud End-to-End Encryption, for example. You don’t have to use it for everything, but only for really confidential documents.

I think there are several providers for that software. In the end, the apps are just a kind of calculator that calculates a TAN from an initial value using the current time. You can also buy these devices in real hardware.

1 Like

It depends on how we define “compromised”.

If they can log into the Nextcloud admin account, they have access to everything on your Nextcloud because they can also manage the other user accounts from there. If they manage to log into a normal user account, they “only” have access to that user’s data.

Against both of these threats, 2FA provides additional protection, but it shouldn’t be an excuse to use weak passwords or to reuse existing passwords.

If the attackers somehow manage to execute code with elevated privileges, e.g. through a vulnerability in the web server, PHP or Nextcloud, or if they manage to log in directly to the server via SSH and gain elevated privileges from there, you must assume that they can access everything, even other applications you may have installed on that server.

Measures to prevent the latter:

  • Keep Nextcloud, its dependencies and the OS always up to date

  • Do not make SSH accessible from the Internet.

  • if it must be accessible from the Internet (e.g. on a VPS), disable password authentication and only use SSH keys, and perhaps add Fail2ban as additional protection.

I’d recommend https://getaegis.app/ It’s open source, and most importantly, it lets you back up your TOTP secrets locally, while Google Authenticator can only be backed up/synchronized with a Google account.

3 Likes

Regarding Nextcloud security you are welcome to follow this guide How to maintain, check and improve the security of your Nextcloud installation

@bb77 good points. we don’t have #ssh and OS access covered in the above guide, would you mind adding your valuable input there? or maybe create another “low level” Wiki regarding server security?

in case you have shell access I would recommend using MFA for admin accounts as well and in case of issues reset/remove MFA using occ command. single-factor authentication with strong password (20+ char) is likely “secure enough” for private installation as the chance is low somebody will run brute-force attack on your server but still MFA is far more secure than simple password - and your definitely should secure your admin accounts better than user accounts.

One should always have backup for your MFA. you could have different MFA methods enabled TOTP on your phone (one can print QR code and store it safely offline) and FIDO key so you still can login if one method fails… same recommendation applies for every user - admin and regular accounts.

Basically, you have to think about what you want to secure with 2FA. And that is access via the web interface either from the outside or from the inside, e.g. with a Trojan.

You should also always use 2FA for administration. My recommendation not to use 2FA for administrators was more for the changeover and then if you don’t use the password anyway.

Incidentally, I do not believe that a 10, 20, 50 or 100-character password achieves the quality of 2FA. If the password is read by an attacker or trojan (client side or server side), it is lost. This risk never exists with 2FA. You have to realize that certain IT security risks can never be solved with long or complex passwords. Unfortunately, it-security tends to keep quiet about this and continue to recommend complex passwords. I think, on the other hand, that the normal passwords are perfectly adequate against simple testing via the application. There are already mechanisms for this in Nextcloud and logging in to a Nextcloud is much too slow.

2 Likes

This! 2FA is not so much about the bots on the internet that poke at your open ports, and not even actual bruteforce attacks (assuming that you use a reasonably secure password), as Nextcloud itself already slows down bruteforce attacks out of the box, but about a user’s PC being compromised and then the hackers geting the strong and complicated passwords from there. Also, users tend to store passwords in insecure ways for convenience.

Another example is the .ssh folder on a Linux PC, in which the private SSH keys are stored: If I have access to it, any software running in my user context will also have access to it. If a malicious software steals the private keys, Fail2ban and other security messaures won’t help you you, and if the attackers are smart, they will also steal the known_hosts file or the config file and then they also have the IPs or URLs to which the keys belong.

That’s why SSH keys should also be further secured, and there are simple and practical options for home labbers that don’t involve any complex identity mangement and access control systems:

  • Protect the keys with a password (inconvenient because you have to type it in every time you want to connect to a server).
  • Protect the keys with a FIDO2 stick (more secure and more convenient)

In addition to the above:

  • Disable the root account on the servers and always log in as a dedicated (sudo) user and never directly as root. (This limits the damage if an attacker does manage to log in)

@wwe I’m not a security expert, and there are already tons of articles on the internet for beginners on how to secure a Linux server. But I’ll see, maybe I can put together something with the basics. No promises, though. :wink:

2 Likes