Block Admin from Internet in Nextcloud

Axel · April 15, 2020, 10:15am

NethServer Version: 7.7
Module: Nextcloud

Hello Guys

thx for your help and support.
I like to exclude the Nextcloud Admin form the (dangeros) internet. I will config the Nextcloud only internal networks ?
Is tha possible ?
thx Axel

danb35 · April 15, 2020, 10:46am

I don’t believe there’s a built-in way to do this. There’s a Nextcloud app to restrict login by IP address, but it doesn’t appear to discriminate between admin and other users. You could try enabling two-factor authentication for the admin as an additional security measure.

Axel · April 15, 2020, 11:08am

Thx Dan

hope it is poosible to hav two-factor only for the admin

danb35 · April 15, 2020, 11:20am

2FA, IIRC, can be enabled user-by-user.

stephdl · April 15, 2020, 12:02pm

and use a strong password
P,=R7GI|i&lV*D}nz]gUWuQ9

transocean · April 15, 2020, 12:13pm

Moin Axel,

i have solved the problem here as well and that by a strict password and 2FA. In the firewall I restricted the access to Nextcloud to IP’s from Germany.

Regards…

Uwe

danb35 · April 15, 2020, 12:43pm

That’s something you can also do in Nextcloud itself–but it affects everyone, not just the admin.

Axel · April 15, 2020, 12:54pm

I didint understand the programers everybody deed a solution for this problem

pike · April 16, 2020, 1:44am

Sometimes the Admin is located into internet… For an hosted Nextcloud installation.
Maybe as option can be activated on Nextcloud (so get in touch with Nextcloud)

Axel · April 16, 2020, 10:23am

thx pike i will try and report news

I do not find a solution now. But with a fault my Nextclud admin cant be conneted from Internet …
I want to do this

config setprop nextcloud TrustedDomains sub.domain.de
signal-event nethserver-nextcloud-update

but i am doing this

config setprop nextcloud sub.domain.de
signal-event nethserver-nextcloud-update

than i try
config setprop nextcloud TrustedDomains sub.domain.de
signal-event nethserver-nextcloud-update
again

now Nextcloud admin is excludes from login out of external networks

???

I dind know why but can be helpfull
config show nextcloud
nextcloud=configuration
TrustedDomains=sub.domain.de
VirtualHost=
Wellknown=disabled

royceb · April 23, 2020, 2:29pm

Surprised Fail2ban hasn’t come up. I use it on everything even with 2fa as it can also shoot out an automated email when something is placed in a jail.

Axel · April 23, 2020, 2:31pm

no fail2an now is one of the next steps

2fa is better like fido2

but was no time to try

mrmarkuz · April 23, 2020, 4:18pm

Nextcloud let’s you login to trusted domains only. So if you only use an internal domain or IP address as TrustedDomain nobody can login from outside anymore. It’s not possible for a specific user like admin.

http://docs.nethserver.org/en/v7/nextcloud.html#trusted-domains

I found that you could block out admin with apache rewrite (didn’t test):