Is My Nextcloud safe -selfhosting + DO first timer!

TheLastNinja · February 12, 2020, 9:55pm

I have set up a server on digital ocean using an ubuntu 18.04 server and installed nextcloud on it using the following DO guides. I have never set up a server before and I am not really techy but love the idea of hosting my own nextcloud instance for privacy. Using the below guides do I have a safe set up to use this in production if I keep it up to date. Any advice or comments would be welcome!

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-18-04

m-svo · February 13, 2020, 11:34am

https://scan.nextcloud.com is how you scan your Nextcloud web server for security issues

As for server security in general:

install and set up fail2ban
use only SSH key authorization, disable password authorization
never enable root account, never login as root
backup your data off-site using secure software, like rsync over SSH
it is a good practice to only allow ports you actually use, like 22, 80, 443. The easiest way is Ubuntu’s UFW or Digital Ocean’s firewall (although I did not use it, I just know they have it)
never download any software from sources you do not trust

TheLastNinja · February 13, 2020, 5:58pm

Thanks good advice! I have only opened ports 80 and 443 as per the tutorials.
Digital ocean sets it up with a root account, with my public ssh key. Should I delete this account?
Will definitely look at doing backups using rsync.

I got an A on the scan, which means there are further things I can do to improve to get an A+ but these seem a bit more involved…I’m hoping A is good enough to go ahead and use! I think the patch level is to do with running nextcloud 18 edge channel

m-svo · February 13, 2020, 6:42pm

For me it is A+:

Running Nextcloud 16.0.7.1
Latest patch level

Non-root account is more a protection from yourself, because a small typo can easily kill your server beyond repair while running as root
I usually create a separate account for myself and type a password when I need to execute with elevated privileges
You can not delete a root account, but you can keep a key to it somewhere safe and not use it everyday

TheLastNinja · February 13, 2020, 8:45pm

Did you install via snap? I updated the server today so it’s up to date. The snap nextcloud 18 edge channel must be a little behind!

Was there anything else you did to take it to A+?

m-svo · February 14, 2020, 5:50am

No, I did a manual install because I prefer not to use snaps when I can avoid it.
If you visit yournextcloud/settings/admin/overview , can you update? I am on production channel and 16.0.8 just became available for me.

No, just everything from official guide.

gabmus · February 14, 2020, 11:45am

Honestly I think the best way to install Nextcloud is using snap. I don’t like it for desktop usage, but as far as server stuff goes, I don’t think you can beat it! It all makes sense, from the sandboxing to the AppArmor confinement.

m-svo · February 14, 2020, 12:22pm

If I need sandboxing, I would use an LXD container. This way I do not have any limitations with read-only filesystem and can apply any patches I want, also I can tune my Nginx set up however I want.
But if Nextcloud is the only thing I have on that server, no sandboxing is needed, am I right?

gabmus · February 14, 2020, 1:19pm

But if Nextcloud is the only thing I have on that server, no sandboxing is needed, am I right?

Sandboxing should theoretically reduce the number of exploitable vulnerabilities in your system (that you may or may not be aware of) by defining what certain processes can and cannot do. So it’s an additional layer of protection which doesn’t sound too bad for an internet facing service like Nextcloud. The more security the better right?

m-svo · February 14, 2020, 1:29pm

I am totally not an expert, but I heard bad things happen when perpetrator breaks out of sandbox.
But if the only valuable data I have is inside the sandbox, I do not see how sandbox helps.

I heard this is a task of tools like SELinux and AppArmor. But I do not know how to use them, so can not benefit from them.

I would be grateful for a simple example how non sandboxed Nextcloud can be vulnerable compared to a sandboxed Nextcloud. Assuming only ports 80, 443 and 22 are open. This will hopefully push me to learn more on the topic and maybe move my instance to a sandbox

gabmus · February 14, 2020, 4:42pm

I heard this is a task of tools like SELinux and AppArmor

Exactly, you’re right. Snap uses AppArmor, and the rules should be already set-up.

I would be grateful for a simple example how non sandboxed Nextcloud can be vulnerable compared to a sandboxed Nextcloud

A typical textbook example is Shellshock. Through a bug in Apache an attacker could get a root shell. A Mandatory Access Control system like SELinux or AppArmor would have made this attack ineffective by using a rule that simply put says an httpd process cannot run a shell.

TheLastNinja · February 17, 2020, 10:03pm

Been away a few days, but it sounds like I can trust a basic snap install as much as anything. I will set up a local back up then move my contacts and calendar across and start using, fingers crossed. Thanks for your input. Will keep trying to learn some more to try and make sure I’m doing it right!

minyaen · February 19, 2020, 9:31am

Nice, didn’t know this was a thing

Nice little “peace of mind” feature