Security on the nextbox

How secure is the next-box, considering the default setup without ssh access? I have tried to search online about running Debian with unattended upgrades, but have not found much. My concern is that the unattended upgrades seems to always be a bit behind of normal upgrades, or is it just the update timer to perform updates automatically (once a month, once a week?).
Another aspect of security is the update of the nextcloud app, on my device I see a warning to update from 21.0.0 to 21.0.6, I read somewhere here, that some updates are kept back because of bugs. In my ignorance I am following the rss feed of nextcloud then I read this article:

And it scares a bit of having the nextcloud not on the last stable version with those security alerts, so please enlighten my ignorance.
I must say that I am very thankful for the great product, although my poor knowledge.

Hey @bs02,

for Debian security updates, I believe there are numerous sources addressing your questions. Especially Debian -- Security Information and Debian -- Debian security FAQ will answer most questions. On the NextBox unattended-updates run every 4hours to check for Debian security updates and nextbox package updates, so there is next to no delay between actual fixes inside the Debian repositories and the package being updated on your NextBox.

As most similar questions this is incredibly hard to answer. But we built the NextBox with the target to be as secure as possible. The following factors are most important from our point-of-view:

  • Debian is known for stability, robustness and fast security updates (ensuring the latter with 4h unattended-upgrades)
  • Nextcloud is the only component open to the internet (ports 80/443) and is also know for high security and good defaults
  • ssh is running by default, but no password-logins are allowed and only key-based logins for non-root users are allowed by its configuration
  • only additionally nextbox-daemon has an open port, which strictly filters requests by the incoming ip, so even if it would be accidentally exposed (port-forwarded) the attack surface is minimal (we are already considering moving this to a unix-socket)
  • no other component/service/server is running on the NextBox (feel free to throw nmap on it), this means the attack surface is as minimal as possible

So overall, as always there is room for an even higher security, but I would consider this a fairly high security standard, (self-)hardening setup. Clearly the Nextcloud login procedure is a weak point, but this is up to you and 2FA for private data using e.g., a Nitrokey FIDO2 will ensure that even the login is on a high security level.

Thanks for making us aware of this release(-set), which was exactly the one we were waiting for. This means we can now update to at least 21.0.6 without hitting the (for us) critical bug: https://github.com/nextcloud/server/issues/27575

As always, this is not really happening in the right moment :wink: We are currently testing the next release addressing important remote access and certification renewal issues as reported in other threads: Nextbox lokal unbrauchbar? - #8 by moapp, Yet another IPv6/reachability issue - #2 by daringer, No automatic renewal of Let's Encrypt certificate - #16 by Rhaban

I hope that this will be released soon™, there are quite elementary mechanisms which are updated here and we would like to not mix that with a (updated) Nextcloud release … So once this release is out, we’ll directly start testing an “only Nextcloud update” release and deploy this asap … currently my impression is that we’ll directly jump onto the Nextcloud version 22.2.2 (which was also already released), if testing shows no blockers…

best

1 Like

Danke fur die detailliert Antwort! But the first time I accessed my nextbox through SSH and ran ‘sudo apt update’ after maybe 2 days it was online there were tons of updates(including linux kernel updates), are some updates kept back for compability with something package like docker, or everything is updated with the same packages and time of debian updates repos?

Yes, this is expected, the security repository does only provide security updated packages for the regular repository, inside the latter there might be packages which get updated due to other reasons. We do not intentionally hold back any security updates, but the default for unattended-upgrades does not include the full package repositories in order to keep friction (typical update issues) away. So far I know Debian has committed to provide (and if necessary backport) security updates for any package officially released via (debian) the repositories.

Especially for the NextBox use-case (minimal to no administration/maintenance effort for the user) this is quite an important feature as this ensures that no package upgrade will change some config/api/interface, which might break compatibility with e.g., the nextbox-daemon, while still maintaining a high security level.

Thanks again for the great explanation!

1 Like

Alas, there are v22.2.3/21.0.7 out in the meantime.
Just sayin’… :wink: