I've been self-hosting Nextcloud for sometime on Linode. At some point in the not too distant future, I plan on hosting it locally on a server in my home as I would like to save on the money I spend on hosting. I find the use of Nextcloud to suit my needs perfectly, and would like to continue using the service.
However, I am not so knowledgeable when it comes to security, and I'm not too sure whether I have done sufficient to secure my instance against potential attacks, and what additional things I should consider when moving the hosting from a VPS to my own server. So that's where I am hoping from some input from this community. Wherever it shines through that I have no idea what I'm talking about, please let me know. I have no reason to believe that I am being specifically targeted, but I do store sensitive things there that could potentially compromise my security elsewhere.
Here is the basic gist of my setup:
- My Linode account has a strong password (>20 characters, randomly generated) and I have 2FA enabled. It required security questions to set up 2FA, but the answers are all random answers that has no relation to the question themselves.
- I've disabled ssh login for root. I have instead a new user that is in the sudo usergroup with a custom name. This is also protected by a different, strong password. I imagine this makes automated brute-force attacks a lot more difficult.
- I have set up fail2ban for sshd. Default settings.
- I update the system at the latest bi-weekly.
- Nextcloud is installed with the AIO Docker container. It gets a security rating A from the Nextcloud scan, and fails on not being on the latest patch level as these are released slower for the AIO container. However, updates for the container is applied automatically, and maintaining the container is a breeze (except for a couple of problems I had early on).
- I have server-side encryption enabled. Not client-side as my impression is that the module is not working properly.
- I have daily backups with borg. These are encrypted.
- Images of the server are also daily backed up on Linode.
- It is served by an Apache web server that is exposed to outside traffic with HTTPS with DNS records handled by Cloudflare.
- I would've wanted to use a reverse proxy, but I did not figure out how to use it together with the Apache server. I have previously set up Nginx Reverse Proxy on a test server, but then I used a regular Docker image for Nextcloud, and not the AIO.
- I don't use the server to host anything else.
Secure SSH. You should disable all password login capability and tighten the ciphers, KEX and MAC requirements. This will force modern SSH terminal use, something a lot of bots don't do, so they won't even get to the point of key exchange.
https://cipherlist.eu/
On your client, you can define an SSH config with a list of friendly host names that include direct IP addresses, the key to use to initiate login and whatever other properties you need. This way, you can just type in "ssh" and you don't need to specify the key or IP address every time.
Finally, configure Fail2Ban to ban/block on first failed SSH attempt. You won't be falling to login if you've configured a config definition file and are using keys.
Thanks for the tip. I will be looking into setting up SSH keys fairly soon, and look more into strengthening ciphers et al.
From a practical point of view, what is the likelihood of a brute-force login attempt to succeed? There are plenty of login attempts, but most of them are for root, and as I've disabled root-login that will fail no matter what. Other attempts are typically for generic other names such as 'admin', 'user' and 'test' that has no associated user on the server, as well as some weird choices that I can only imagine comes from some database breach.