Thinking of spinning up my own Nextcloud. How do I protect it ?

ThreeEyedFish

I'm trying gradually move away from Big Tech ( Protonmail instead of Gmail, Dropbox instead of Google Drive, Newpipe instead of Youtube on my phone, yada yada yada), primarily for privacy reasons. Next thing on my list would be cloud storage (in my case not having to depend on Dropbox, as in 'not my hard drives, not my data' + added bonus of no peaking eyes) and to spin up my own NextCloud.

How would I go about protecting the exposed TCP port from various attacks on my pfSense ? I'm far from being a network wizard, so the only (basic) scenario I have in my head is to port forward to my NAS that has the NextCloud instance running and I haven't got a clue on what possible solutions are available for this scenario.

Thanks in advance for replies

serbus

Hello!

On pfsense I run pfblocker and use geoip to fence out the regions I dont want making connections. I also use snort with ip based rules and reputation blocking to deny connections no matter where they come from. Snorts content based rules are of diminishing value in an encrypted world, but they still catch quite a few inbound issues. Not nearly as many as the ip based rules, though.

On nextcloud I use 2fa for critical accounts.

Netgate runs a nextcloud server to deliver their firmware updates to customers. Maybe they will share...:)

John

Bob.Dig

@threeeyedfish Use VPN and don't expose your NC to us.

stephenw10

Yup, use a VPN to access it if you can.

ssh4net

Wait, what? Next cloud on router?
Please do not make such mistakes as run anything related to file sharing on routers. This is path to be hacked.

If you really need personal file sharing, better setup TrueNAS inside your home network and connect to it through VPN.

If you really need file sharing that can access not only you. setup NextCloud or OwnCloud on TrueNAS, setup Haproxy on PFsense, and setup strict connection rules that allow only share links. Because all sharing projects like Next/OwnClouds, QNAP, Sinology so dumb and use same url, same port for share links and for admin access panels. And we have tons of hacked fileservers on net.
Technically with Haproxy on pfsense its ok to use QNAP and Sinology, just never use their file sharing services like myqnapcloud, and make sure that you disabled any access from cloud to your file server.

AndyRH

@ssh4net I do not see a reference to running Nextcloud on the firewall? I also do not see an ask as to where to run it. Maybe the OP is like me and does not like to run VMs on NAS systems.

ThreeEyedFish

@stephenw10 @Bob-Dig You mean setup an OpenVPN server on my pfSense box right ? (UDP connection I assume) At least that was what I had in mind. It's only for personal use, nobody else needs to access it. The only annoying thing is my phone. I use ProtonVPN on it, but at least to my knowledge I'm not able to use two VPN connections at the same time, and switching to save and backup stuff is a pain in the butt.

@Bob-Dig what does 'NC' stand for ?

ssh4net

@andyrh oops, you right. Missed that op asked about NAS inside network.

Bob.Dig

@threeeyedfish said in Thinking of spinning up my own Nextcloud. How do I protect it ?:

You mean setup an OpenVPN server on my pfSense box right ?

Or WireGuard

but at least to my knowledge I'm not able to use two VPN connections at the same time

That's true. You could policy route your own VPN through the VPN service if it is available on pfSense.
Lately I don't do it like this anymore because I noticed some connectivity problems with real-time apps like messengers while using any VPN on the phone. But if those apps are not a top priority for you, you can still do that.

what does 'NC' stand for ?

Should be Nextcloud.

ssh4net

So you have couple options:
• Setup any VPN on pfsense or your NAS and use it to file sharing (NextCloud) service.
• Setup NextCloud through Nginx on NAS and setup correct access policies in nginx to access only to share links, and with other access to admin/sharing only from local network or VPN IPs.
• Setup NextCloud on NAS and haproxy on pfsense. And do same as above but on haproxy side.

Last two options are pretty complicated, and required good knowlege in nginx or haproxy configs.
There are no way to limit file sharing service only on firewall/nat. If you open access to share links you automatically open access to admin panel.

You must understand that almost all hacked and cryptolocked NASes on web was hacked through file sharing services that expose whole file sharing service to web. And you need limit unrestricted access only to file shares. Any links that not fall into allowed category should be dropped without any access to NextCloud server.