Install and secure your NextCloud server with CrowdSec
How to install and secure a Nextcloud instance with CrowdSec.
Nextcloud is an extensible collaborative drive tool to replace traditional office suites and drives. (GSuite and Microsoft 365). The focus is on privacy with an easily self-hosting tool.
CrowdSec is a collaborative security solution based on the principle of analysis and the correlation of application logs. All servers running CrowdSec make it possible to collect intruder signals, block them and report them to the rest of the community. This means that all users benefit from quality protection (from the crowd) and all this for free.
Here is the architecture of our Nextcloud stack.
The CrowdSec container is mounted to the logs from the reverse proxy as well as to the Nextcloud logs. This gives it the ability to detect attacks.
The purpose of the Openresty container is to route user requests to the Nextcloud container. It interacts with CrowdSec via the local API and is able to mitigate threats from malicious requests by blocking them or forcing them through a captcha challenge.
The certbot container allows one to obtain certificates for free with the let’s encrypt service. It also manages the system of challenges allowing them to be obtained.
Finally, the Nextcloud and Database containers ensure the operation of the Nextcloud service.
By going through the docker-compose.yml file, you will notice two more containers (Redis, Cron). Redis is an in-memory database used by Nextcloud to quickly store information. Cron is a tool to automate maintenance tasks.
Volumes are also mounted to allow data exchange between containers through the file system.
You will need a reCAPTCHA V2 API key to request on the Google website as well as a domain name already pointing to your VPS.
For this example we will use a virtual machine running Debian 11 with the following configuration:
- 2 vCPUs
- 2 GB RAM
- 100 GB of disk space (or whatever your Nextcloud instance requires)
Once our server is freshly installed, we connect to it via SSH using the root account.
First of all, we create the user bob.
We then provide suitable privileges:
Now add this line:
And finally, we harden the security of the SSH server by modifying the configuration
We then update the VM:
Next, we set up automation to install security updates using the unattended-upgrade package.
To protect against external threats, it is important to close all unnecessary ports on our server. For that we install iptables and uses ufw to install it.
Once installed, we open the following ports:
- 22 to allow SSH connections
- 80 to allow HTTP connections
- 443 to allow HTTPS connections
Opening the ports:
When the configuration is done we enable the firewall:
Redis requires just a small modification to the Linux kernel:
With our OS now being up to date, we install docker and docker-compose to be able to manage the containers that will run the Nextcloud stack.
Starting up the stack
Before cloning the example repository, we install git.
We clone the repository containing the configuration files.
We must now edit the file so that they work with our configuration. We are replacing all example.org fields with our domain, as well as adding strong passwords to the .env file.
Once all the files have been created and edited, we deploy our stack.
Once the stack is successfully started, we’ll generate a token for our bouncer so we can add it to CrowdSec.
Add the token to the file /crowdsec/crowdsec-openresty-bouncer.conf.yaml
Restart the bouncer
For more security, it is recommended to switch to the HTTPS protocol by adding a domain name and a TLS certificate.
Once our stack is started, we can request a certificate with the following command.
Make sure to replace example.com with your domain name
Once the certificate has been obtained, we edit the .conf/ file by adding these lines at the end of the file.
Again, make sure to replace example.com with your domain name
We restart our reverse-proxy one last time:
You can test the blocking capabilities of CrowdSec by manually adding a ban or captcha rule.
Result of blocking by captcha
Result of blocking by ban
For automatic detection, we will enumerate 5 different users. From the 5th attempt, our enumeration attempt is detected and blocked by an immediate blocking decision.
In this configuration, our Nextcloud instance is exposed to the internet. It is protected by CrowdSec and blocks intrusion attempts automatically.
Let’s Encrypt SSL certificates expire every 3 months. Here is the procedure to regenerate them.
These resources permitted me to write this article.
- Install Docker Engine on Debian
- Install Compose V2
- Image Crowdsec
- Image Openresty
- Crowdsec Documentation
- Configurer HTTPS avec Nginx, Let’s Encrypt et Docker (French)