Skip to content

Secure a Nextcloud Instance

Move to Nextcloud - Secure

Secure your Nextcloud instance

give PHP read access to /dev/urandom

If you reading the Hardening and security guidance it is recommend to give PHP access to /dev/urandom. But if you simple

having an open_basedir configured within your php.ini file, make sure to include /dev/urandom

as desribed there, your Nextcloud webpage will be blank and nothings working anymore. You have to configure more directories, not only /dev/urandom/ to the open_basedir directive. First sum up which directories are needed:

  • /dev/urandom
  • the webroot, e.g. /var/www/html/nextcloud
  • the data directory, if not included in /var/www/html/nextcloud
  • if configured, the upload_tmp_dir directory from the PHP settings
  • /tmp
  • directory of the logfile, e.g. /var/log/nextcloud/

You can add the parameters in the php.ini or, which i prefer, in the virtual host configuration of your Apache web server. In this example /etc/apache2/sites-available/nextcloud.conf.

<IfModule mod_php.c>
    php_admin_value open_basedir "/dev/urandom/:/var/www/html/nextcloud:/path/to/my/datadir/:/var/log/nextcloud/:/path/to/my/upload_tmp_dir/:/tmp/"

In the Setup the Strict-Transport-Security header was already enabled, but there are more to secure the webpage. There please edit the virtual host configuration like this.

<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=31536000; includeSu    bDomains; preload" # <-- already added during Setup
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set Referrer-Policy "no-referrer"

Configuring fail2ban is always a good idea, not only for Nextcloud, also for SSH and other services.

Exposing your server to the internet will inevitably lead to the exposure of the services running on the internet-exposed ports to brute force login attempts.Fail2ban is a service that uses iptables to automatically drop connections for a pre-defined amount of time from IPs that continuously failed to authenticate to the configured services.

to configure fail2ban, simple following the steps described in the Nextcloud Admin Guide. If a proxy is used, the configuration must be done at the backend host, not the proxy. Create the two files /etc/fail2ban/filter.d/nextcloud.conf and /etc/fail2ban/jail.d/nextcloud.local.