So, you’ve setup NextcloudPi. How do you harden it?
Please help expand these sections. This is not a perfect formula by any means, but suggestions follow. The best security is to never put sensitive data online.
“We have an illusion of security, we don’t have security. But, we can still have best practices.”
- Change your admin username
ncp is the default username. Change this to something else.
- Create a user for yourself that is not the admin
user account should not have administrative access to your device. This is a good security practice, plus you can still allow your user to receive administrative notifications under Settings.
- Force Two Factor Authentication for all users
Require all users setup Two Factor Authentication. See the appstore for many available options regarding SMS, TOTP, Telegram, Signal, Email, other Nextcloud Devices, etc.
- Disable the webui.
$ sudo ncp-configfrom the command line via a TTL serial USB cable or SSH.
- Enable fail2ban – included in curl script. Must be manually configured in Docker.
Automatically black list any user attempting to brute force access to your device over SSH.
- Disable SSH Passwords
- Switch to RSA public/private key cryptography. There are many guides online.
- Passwordless SSH increases security and attackers will still be prompted for a password.
- Make sure to successfully test your keys after setting them up. 😉
- Restrict Login by IP app – only allow exact IP addresses to login.
- Brute Force app – Black list users with multiple failed login attempts.
- GeoIPblocker app – Disable login access by IP Address location. Define whitelists or blacklists by country of origin.
Please note that updating Nextcloud causes incompatibility within the appstore, which will sometimes disable apps entirely as part of the update process. Any app from the Nextcloud appstore can break or be automatically disabled during updates if it is not compatible with the version you are installing.
If NextcloudPi is located in your home or somewhere local
- Place NextcloudPi on a subnet
- Isolate your device from other traffic on your network via your router. This will stop guests from accessing it on your local area network.
- Add Two Factor Authentication to your literal device.
- Here is guide for adding 2fa to a Raspberry Pi device.
- Armbian 2fa is added from
$ sudo armbian-config
- You’ll need to store your Two Factor codes in an authentication app, or within a Password Manager as OTP.
- Disable SSH if device is physically accessible and you own a TTL serial USB cable, around $5 – $10, to physically login to your device. This cable simulates a keyboard interface using GPIO pins.
- Do not disable SSH until you have a different method in place for interacting with your device.
- Encrypt /data directory using Full Disk Encryption, eg. LUKS
- Route all traffic through Wireguard or OpenVPN using PiVPN
- Negates the need for port forwarding.
- Securely share any number of services from your local area network.
- Breaks all sharing and guest functionality since all access will require your explicit OpenVPN certificates or Wireguard authentication before gaining Nextcloud access.
- or, Keep your device localhost only
- Simply do not bother to port forward or externally access your Nextcloud. Stick to only accessing it from your local area network.
- For external access join a hosted Nextcloud service provider and federate that to your localhost instance. This way you can always tell what data you’ve made public because it is kept on an entirely different Nextcloud instance.