Nextcloud zero day security - eviltoast

What is everyone doing? SELinux? AppArmor? Something else?

I currently leave my nextcloud exposed to the Internet. It runs in a VM behind an nginx reverse proxy on the VM itself, and then my OPNSense router runs nginx with WAF rules. I enforce 2fa and don’t allow sign-ups.

My goal is protecting against ransomware and zerodays (as much as possible). I don’t do random clicking on links in emails or anything like that, but I’m not sure how people get hit with ransomware. I keep nextcloud updated (subscribed to RSS update feed) frequently and the VM updates everyday and reboots when necessary. I’m running the latest php-fpm and that just comes from repos so it gets updated too. HTTPS on the lan with certificates maintained by my router, and LE certs for the Internet side.

Beside hiding this thing behind a VPN (which I’m not prepared to do currently), is there anything else I’m overlooking?

  • beerclue@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    Not only for Nextcloud, but I recommend setting up crowdsec for any publicly facing service. You’d be surprised by the amount of bots and script kiddies out there trying their luck…

    • thisisawayoflife@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      One of my next steps was hardening my OPNSense router as it handles all the edge network reverse proxy duties, so IDS was in the list. I’m digging into Crowdsec now, it looks like there’s an implementation for OPNsense. Thanks for the tip!

      • johntash
        link
        fedilink
        English
        arrow-up
        5
        ·
        11 months ago

        Iirc crowdsec is like fail2ban but blocks ips reported by other servers, not just ones attacking your server. Kinda like a distributed fail2ban I guess?

      • TwinHaelix@reddthat.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        11 months ago

        My recollection is that Fail2Ban has some default settings, but is mostly reactionary in terms of blacklisting things that it observes trying to get in. Crowdsec behaves in a similar vein but, as the name implies, includes a lot of crowdsourced rules and preventative measures.

      • Comptero@feddit.ch
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        In my understanding fail2ban will block ips if they are detected to do brutforce or use known exploits.

        Crowdsec will share this IP via a blocklist to all subscribte systems. You will benefit form the detection of other systems and not only your own.