[Question] Security considerations when self-hosting Nextcloud
I've been self-hosting Nextcloud for sometime on Linode. At some point in the not too distant future, I plan on hosting it locally on a server in my home as I would like to save on the money I spend on hosting. I find the use of Nextcloud to suit my needs perfectly, and would like to continue using the service.
However, I am not so knowledgeable when it comes to security, and I'm not too sure whether I have done sufficient to secure my instance against potential attacks, and what additional things I should consider when moving the hosting from a VPS to my own server. So that's where I am hoping from some input from this community. Wherever it shines through that I have no idea what I'm talking about, please let me know. I have no reason to believe that I am being specifically targeted, but I do store sensitive things there that could potentially compromise my security elsewhere.
Here is the basic gist of my setup:
My Linode account has a strong password (>20 characters, randomly generated) and I have 2FA enabled. It required security questions to set up 2FA, but the answers are all random answers that has no relation to the question themselves.
I've disabled ssh login for root. I have instead a new user that is in the sudo usergroup with a custom name. This is also protected by a different, strong password. I imagine this makes automated brute-force attacks a lot more difficult.
I have set up fail2ban for sshd. Default settings.
I update the system at the latest bi-weekly.
Nextcloud is installed with the AIO Docker container. It gets a security rating A from the Nextcloud scan, and fails on not being on the latest patch level as these are released slower for the AIO container. However, updates for the container is applied automatically, and maintaining the container is a breeze (except for a couple of problems I had early on).
I have server-side encryption enabled. Not client-side as my impression is that the module is not working properly.
I have daily backups with borg. These are encrypted.
Images of the server are also daily backed up on Linode.
It is served by an Apache web server that is exposed to outside traffic with HTTPS with DNS records handled by Cloudflare.
I would've wanted to use a reverse proxy, but I did not figure out how to use it together with the Apache server. I have previously set up Nginx Reverse Proxy on a test server, but then I used a regular Docker image for Nextcloud, and not the AIO.
This all sounds very reasonable. One question remains: what is the use of a dedicated proxy if cloudflare is connected? I do use nginx proxy manager and host my dockerized services on subdomains via https. I suppose if the reverse proxy gets attacked, the main server stays online and hidden. Does cloudflare not hide your ip and prevent (some) ddos attacks?
This is one of those areas that often has me confused... For now, the DNS entry with Cloudflare is set to 'DNS Only'. That is perhaps a mistake on my part, and I should enable the proxy? Right now I can't remember the reasoning for why I set it up like this.
Originally I wanted to set up Nginx Reverse Proxy to serve other services than Nextcloud on the same server on different ports. That was the way that I found that was easily manageable at the time, and like the AIO container is set up now, accessing the IP address of my server automatically routes to Nextcloud, even if I had another service running. I could maybe configure Apache to do the same job as I want Nginx to do? At the time, I opted to get another VPS dedicated for other, smaller services instead as a temporary solution, that over time turned permanent. However, this will be important to me when/if I start hosting this locally instead, as I would want my server to host other services as well.
Can relate. I‘m pretty much on the opposite end of this situation. I have a home server, hosting a fair amount of apps and it’s pretty integrated and polished but still a lot of things I want to do, some crucial before I even think of opening ports in my router.
The issue for me is that my internet upload speed is trash allthough my provider is rather good.
So I‘m thinking of moving the opposite direction and hosting my stuff on a vps so that I can use it and maybe share stuff with friends without being kneecapped by my upload.
The obvious solution would be a fiber connection which is not available at my location yet (edge of a city in germany, hard to believe, I know).
But to answer your question: you could probably pet apache do something like that but I‘m absolutely the wrong person to tell you how as I don’t have any experience with apache. I can help you configure npm (nginx proxy manager) and dns records but thats about it in this department.
In any case, have a good one and hit me up if you want to discuss this further.
Ah, I see. Hope for you that a fiber connection will be available in the not-too-distant future then. I would love to do this at home, but I'm going to need some serious study sessions to better understand home networking (and take appropriate action) before I start exposing services at home to the internet. I do wonder if I jumped onto this too fast, but I was just so incredibly fed up with relying on big tech monopolies for essential digital services...
I guess my last question would be if you had an opinion on whether enabling proxy in Cloudflare is a no-brainer or not?
Makes total sense that one would familiarize himself with networking/selfhosting before actually going live and putting their private data at stake. I respect that.
Also, I would probably use cloudflare proxy but I don’t have experience with it yet so I‘d give it a quick search „cloudflare proxy vs dns only“ or something and see if any reason why you didn’t like it pops up.
Also, I suggest you keep a log if you dont have one already. Every time I do maintenance (essentially, every time I log into ssh on my server) I make an entry to my log. That way you will know why you did what you did when you did