Secure a Nextcloud Instance
Move to Nextcloud - Secure
Project Link: Nextcloud
Secure your Nextcloud instance
give PHP read access to /dev/urandom
If you reading the Hardening and security guidance it is recommend to give PHP access to /dev/urandom
. But if you simple
having an open_basedir configured within your php.ini file, make sure to include /dev/urandom
as desribed there, your Nextcloud webpage will be blank and nothings working anymore. You have to configure more directories, not only /dev/urandom/
to the open_basedir
directive. First sum up which directories are needed:
- /dev/urandom
- the webroot, e.g.
/var/www/html/nextcloud
- the data directory, if not included in
/var/www/html/nextcloud
- if configured, the
upload_tmp_dir
directory from the PHP settings - /tmp
- directory of the logfile, e.g.
/var/log/nextcloud/
You can add the parameters in the php.ini
or, which i prefer, in the virtual host configuration of your Apache web server. In this example /etc/apache2/sites-available/nextcloud.conf
.
....
<IfModule mod_php.c>
php_admin_value open_basedir "/dev/urandom/:/var/www/html/nextcloud:/path/to/my/datadir/:/var/log/nextcloud/:/path/to/my/upload_tmp_dir/:/tmp/"
</IfModule>
....
serve more security related headers by the web server
In the Setup the Strict-Transport-Security
header was already enabled, but there are more to secure the webpage. There please edit the virtual host configuration like this.
....
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=31536000; includeSu bDomains; preload" # <-- already added during Setup
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set Referrer-Policy "no-referrer"
</IfModule>
....
fail2ban
Configuring fail2ban is always a good idea, not only for Nextcloud, also for SSH and other services.
Exposing your server to the internet will inevitably lead to the exposure of the services running on the internet-exposed ports to brute force login attempts.Fail2ban is a service that uses iptables to automatically drop connections for a pre-defined amount of time from IPs that continuously failed to authenticate to the configured services.
to configure fail2ban, simple following the steps described in the Nextcloud Admin Guide. If a proxy is used, the configuration must be done at the backend host, not the proxy. Create the two files /etc/fail2ban/filter.d/nextcloud.conf
and /etc/fail2ban/jail.d/nextcloud.local
.