Is Nextcloud access secure from outside?

nextcloud

(Michael Träumner) #1

Some user asked for changing port 443 for external access to nextcloud. This started a discussion between @danb35 and me of security options.

Because this discussion would get a little bit off topic I start a new one.

I advised the user to use VPN. But an answer of Dan made me thinking.

@dev_team and of course all others:
Is the access secure without doing anything else?


(Giacomo Sanchietti) #2

The only secure thing is a powered off machine. :smiley:

Nextcloud has been created to be publicly exposed, AFAIK no critical CVE has been discovered recently: https://nextcloud.com/security/advisories/.

But is it secure enough? It depends on your needs, if you’re a military grade company I’d say no.
If you’re a normal company, I’d say yes.
You need always to find a good balance between security and You need always to find a good balance between security and usability/accessibility.

Also, remember that nowadays you can’t even trust your CPU: https://zombieloadattack.com/


(Dan) #3

Really, I think, there are a few related questions:

  • How secure is Nextcloud itself?
  • How secure is the software Nextcloud needs to run (Apache, PHP, MySQL/MariaDB, etc.)?
  • How secure is the Apache (and other relevant software) configuration in Neth?
  • How secure is the user’s installation?

On the latter point, if the root password is “12345”
image
…the system’s going to be pwned in short order. Similarly, if users have weak passwords, they can’t expect that their data will be safe. This can be enforced, to a degree, by the admin with a password policy, but is ultimately up to the users. So, the real question is points 1-3.

To point 1, AFAIK, there are no known vulnerabilities in Nextcloud, and it’s pretty widely used, including by many major organizations. This carries forward to point 2, at least with respect to PHP (they could be using different webservers and/or DBMSs, but you can’t run Nextcloud without PHP).

This brings us to point 3, which is the only one under the control of the Neth devs: how secure is the default Neth configuration of Apache/MariaDB/PHP/Nextcloud? There are lots of factors in this, of course, and the only one I can speak with any confidence about is the TLS configuration (which is pretty good). AFAIK, Neth is designed and reasonably secured to be deployed as a public-facing web server. If this is not the case, it needs to be fixed. But if it is (as I understand it to be), a system with Nextcloud should be reasonably secure for most purposes.

That’s a long way of saying that I don’t think there’s a reason to be recommending VPNs, isolated networks, or other abnormal measures in the usual case.

I’m not a fan of using non-standard ports, particularly as a security strategy–I figure an attacker will use a port scanner anyway, so they don’t really hide anything. On the other hand, they can cause conflicts or incompatibilities with other software. Now, if you’re stuck behind a user-hostile ISP that blocks common server ports, you may need to do this anyway, but it shouldn’t be considered a security strategy.


(Axel Urbanski) #4

I am using opvn and Wireguard to acess my internal Nextcloud and SOGo.
Than you have doubel securety…