Open NextCloud to the Internet? Security?

[dnilgreb]

Ok,
So I´ve got my FreeNAS (9.10.2-U6) running, with a few jails. The latest is NextCloud.
I´ve got it all working as it should, but now I am thinking about accessing it from the Internet.
Doing it is simple, just port forward in my router. But that just doesn´t feel very safe.
How do people acheive security in doing this? Does FreeNAS offer something like a DMZ for jails? (However that would work).

And if I put the NextCloud server in a DMZ, that raises another question:
I intend to use NextCloud as a way of accessing the shares on my FreeNAS filesystem. I´ve added them as external storage.
They would become inaccessible from a DMZ, correct?

I do have another jail running OpenVPN, so it is poosible to access NextCloud from the outside, but what if I want to share content with other people?

Any ideas?

 

[nojohnny101]

This has been asked many times before, did you try searching first?

freenas nextcloud remote access

 

[dnilgreb]

Yes I have. Both here on the forum and on google. But all I´ve found is how to acheive access from the Internet, not so much about the security aspect of it all. If someone could give me some pointers, I would really appreciate it.

 

[Glorious1]

Yes I have. Both here on the forum and on google. But all I´ve found is how to acheive access from the Internet, not so much about the security aspect of it all. If someone could give me some pointers, I would really appreciate it.

I've not used NextCloud, but you should be able to do it with public key authentication:
https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/

 

[dnilgreb]

Thanks, but not exactly what I´m looking for. I already have SSH and OpenVPN set up on my FreenAS. I´d like to be able to log in to NextCloud from anywhere on the Internet without tunneling/certificates etc, but still keep all the data safe from attacks and hacking attempts.

In my head I have two scenarios:

Either I don´t open any additional incoming ports, and am only able to use NexCloud over OpenVPN.

Or, I open a port to the Internet, and can reach NextCloud freely. But then it, and my FreenAS, are open to attacks.
Is there a way to "get the best of both worlds" here?

If only my registered NextCloud users are going to be accesing, OpenVPN is fine. But I´d like to be able to share content (send a download link) to someone who cannot login to my NextCloud server, who would then only be able to download the folders/files shared in said link. Is that even possible?

 

[LotLits]

I don't think there's really a fix for the second option. I guess you might be able to setup something like fail2ban to block brute force attempts (never tried myself).

Otherwise, you're probably as secure as you're going to get if you open the server up to the internet. I'd recommend using a nonstandard port on your router that forwards to 443. Will help at least a bit.

 

[scrappy]

Unless you plan on using SSL certificates with your Nextcloud server, DO NOT expose it to the WAN. I'd suggest reading up on running Nextcloud w/SSL on a VPS. Sources such as Digital Ocean should have some decent tutorials. More specifically, read up on HTTPS configuration in the Apache/Nginx web server. If you cannot follow this then you're not experienced enough to safely expose your Nextcloud instance to the Internet.

 

[adrianwi]

As soon as you expose anything to the internet, you have to accept and assess the risk. I've been running ownCloud in a FreeNAS jail for a good few years now, and over time have gradually increased the security as I understood more about things. For a short time at the beginning I was simply forwarding a port on my router to the jail. I then added a self-created SSL certificate and when that started being rejected by some browsers move to using a cheap one from Comodo. I also added in Fail2ban protection blocking IP addresses for 10 minutes after 3 failed attempts. I also added 2FA when than became an option in ownCloud. When I decided to expose a few other services, I set-up a NGINX reverse-proxy in a jail and started to use Letsencrypt/certbot to generate each of the SSL certificates. Over time I've hardened the NGINX config so everything can only be connected via SSL and achieves a A+ score on SSLlabs. I'm sure if someone really wanted to break in, they probably could, but hopefully I've done enough to make it difficult enough that they might find an easier target.

I recently signed up for a Ethical Hacking course on Udemy as I wanted to learn some of the skills so I can try and find out just how easy or difficult it might be for someone :D

 

[garm]

Security is a chain, any week link and you run the risk of being exploited. You need a secure web front end. Don’t expose your backend or storage to the internet directly. Read everything you find on security on the components you choose to use. Personally I never allow unrestricted WAN traffic to pass my house firewall. All traffic I do allow come from trusted sources or my own front ends.

No one can tell you what switch to throw in a forum. You need to design a infrastructure yourself that is reasonable safe.

 

[dnilgreb]

Ok,

I realise i have some reading up to do. Thanks everybody for all the info. You´ve really given me something to think about.
Will explore this further, if and when I have the time. Until then, I am keeping it safe and secure behind my OpenVPN.

 

[onur]

you can follow the guide @ https://forums.freenas.org/index.ph...3-on-freenas-11-with-all-checks-passed.58634/

I updated the plugin to nextcloud 12(which it was created @ Freenas 9 and and it was stuck at version 10) with this guide. You can use letsencrypt or your own SSL at 4096 (TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher) )

And if you can put a firewall ipconfig or pfsense before the freenas it will be better.

Nextcloud 12 has built in bruteforce mod.

ohh BTW you can check the setup security with https://scan.nextcloud.com/

 

[dnilgreb]

Thanks! That seems like a really good guide. Haven´t gotten all the way through yet, ran into some other problems. I cannot get SMB working.
I am running FreeNAS 9.10.2-U6 and NextCloud 12.0.4 on a standard jail (with php 7.0). I have an error message saying that smbclient is not installed. I´ve tried installing samba, thinking smbclient may be part of that, but that didn´t help. I tried installing the pecl-smbclient, but that will downgrade my php 7 to 5.6. Does anyone know how to acheive SMB support on NextCloud 12.0.4 with PHP 7.0?

 

[dnilgreb]

Solved it!
Simple. I just ran this:

Code:

make config-recursive install -C /usr/ports/net/pecl-smbclient

and then

Code:

service apace24 restart

and now, it works! Now onto the security part of the guide. Will come back with results

 

[dnilgreb]

Finally, it is done. Letsencrypt installed, certificate in place and works. The guide found at https://forums.freenas.org/index.ph...3-on-freenas-11-with-all-checks-passed.58634/ really did the trick. A few hiccups along the way, will give more details in that thread.
So, now that I have SSL in place, and https://scan.nextcloud.com/ gives an A+, does that mean it reasonably safe to have ports 443 and 80 open to the Internet? 80 redirects to 443. Should I close 80? Does it matter?
What is everybodys opinion on this?

 

[onur]

I am glad it worked. Even letsencrypt offers you to forward 80 to 443 automatically, so opening both ports and forward 80 to 443 should not be a problem. Almost all of the websites use this feature.

one more thing it is better to follow @Nextclouders for any security update. (of course with @FreeNASTeam ;-)

 

[jgreco]

Finally, it is done. Letsencrypt installed, certificate in place and works. The guide found at https://forums.freenas.org/index.ph...3-on-freenas-11-with-all-checks-passed.58634/ really did the trick. A few hiccups along the way, will give more details in that thread.
So, now that I have SSL in place, and https://scan.nextcloud.com/ gives an A+, does that mean it reasonably safe to have ports 443 and 80 open to the Internet? 80 redirects to 443. Should I close 80? Does it matter?
What is everybodys opinion on this?

80 redirecting to 443 is a *good* thing as long as nothing of consequence is offered on 80.

Your SSL strength is almost irrelevant. That only affects the protection of your login details to get into your web server, and the data that's served up. To be sure it's good to protect that, but thinking that an A+ means you're all good is not true.

The threat model is whether or not you can break into the environment. A lot of the add-on doohickeys for web servers tend to be written in PHP. Can you subvert a web connection to get a shell? Can you get your scripting language of choice to do something bad and get you a shell?

All of the contributed FreeNAS jail environments I've seen are based off a base FreeBSD install, which means that /bin/sh is available, which is - for lack of a better term - stupid. If you can break into the FreeNAS jail and get a shell, you've got live access to the platform and might be able to break out of the jail or at least access the local network using the tools in the FreeBSD base distribution in the jail. The typical security of a hobbyist or enthusiast home network isn't particularly secure, so the biggest risk, in my professional opinion as someone who's been doing this for decades, is that someone compromises your web site and gets in to your FreeNAS jail, at which point the threat possibilities multiply. Your A+ SSL score does *NOTHING* to protect you against that.

I was one of the earliest users of phk's jails and there is another design strategy available. It's a harder road, the road not usually traveled by enthusiasts, and that's building a jail environment that is jailed *without* the base FreeBSD system image. No /bin/sh. Etc. For things like BIND or Sendmail, this is actually pretty easy to do, and I consider it the gold standard for services that are exposed to the Internet. This is somewhat harder for a proper full webhosting environment, and quite frankly is probably beyond the skill set of most hobbyist/enthusiast users. I consider this to be a bit of a tragedy, as you can make the environment much more hostile to intruders.

The sadder bit is that I actually do have such a stack available, designed to create a professional web hosting environment that can run jailed. Unfortunately it is designed to run on a FreeBSD platform that's built to interoperate with it. I don't really have the time or inclination to figure out how to make it compatible with whatever FreeNAS is currently doing for jails.

So I guess I'm not real helpful, huh.

 

[samuel-emrys]

Because this has been revived, I thought that it would be worth mentioning that I wrote a guide on the installation of Nextcloud and the hardening of its jail. As @jgreco points out, this probably won't be perfect, but the article details a FreeBSD implementation of Nextcloud's hardening and security guidance. The guide is available here: How to manually install NextCloud 14/15 on FreeNAS 11.2 with hardened security