I have had a NextCloud up & running for a few weeks thus far and haven’t had any problems. The reason I can’t just connect to it via vpn is that I want to share links of files with other people. I always keep the system up to date and I think I configured nginx correctly. I have blocked all requests to ports other than 80 and 443, but the firewall is still not the best right now: someone can send many requests in a short timeframe. I have also used tools like pentest-tools.com and some others, but those say that there are no major vulnerabilities. I also keep track of logs with a tool called logwatch. Any tips and tricks or resources (articles, videos, etc) would be much appreciated. Or maybe you want to know more about my setup. I know that NextCloud can be really secure if everything is done right!
If you have a domain name setup, I’d recommend using Swag as your gateway. It’s a hardened nginx with lots of preconfigured samples that make it feel very plug and play. I got SSL with Let’s Encrypt set up in minutes. My next task is adding SSO to my setup.
If you’re using docker to run your apps, use a network with only swag on it that can connect via port 80 and 443, and put your other apps on a separate network that isn’t public, swag also there and let it do its proxy thing. Run docker rootless, each container with a separate user, secrets fully secured, all that good stuff.
From a cursory look, as I don’t know NPM, Swag doesn’t require a database itself as all config is file based, and doesn’t have any user management. Both seem to be nginx based with Fail2Ban installed, there’s probably some other differences.
What I like about Swag is that with my config checked into a git repo and an act runner set up, I can reconfigure swag on the fly, with a rollback, as it’s just a case of pushing an update to the repo and letting the runner pull changes and restart the container. It works very well for how I want things set up.
Unless you need random public access, move the ports to something other than 80/443 to high ports above 10k or so. That will cut random internet scans down considerably as most are just basic connection scans to common ports. It doesn’t stop everything, but your logs will thank me. Security by obscurity is just a parlor trick, but it has its uses.
If you don’t want to do that, you can still limit connections with something like Suricata. It absolutely is an extra step and is another point of failure.
For your firewall, limit what it responds to if you haven’t already. You can have conditions where it may respond with an ICMP destination unreachable when a scanner says “hi” to a closed port. This is good in normal circumstances inside of a network, but the open internet is not a normal place.
Moving traffic to weird ports and hampering ICMP may introduce weird problems in itself, but nothing that would be completely fatal to a connection. (Web browsers and other apps will walk up through high ports for response ingress. In some cases, this could cause an issue when using high ports for new connections. It really depends on the firewall and its configs.)
But, feel free to keep raw-dogging the open internet. All software is super secure until it isn’t, and that sucks.
