Security on the nextbox

NextBox
2

Hey @bs02,

for Debian security updates, I believe there are numerous sources addressing your questions. Especially Debian -- Security Information and Debian -- Debian security FAQ will answer most questions. On the NextBox unattended-updates run every 4hours to check for Debian security updates and nextbox package updates, so there is next to no delay between actual fixes inside the Debian repositories and the package being updated on your NextBox.

As most similar questions this is incredibly hard to answer. But we built the NextBox with the target to be as secure as possible. The following factors are most important from our point-of-view:

  • Debian is known for stability, robustness and fast security updates (ensuring the latter with 4h unattended-upgrades)
  • Nextcloud is the only component open to the internet (ports 80/443) and is also know for high security and good defaults
  • ssh is running by default, but no password-logins are allowed and only key-based logins for non-root users are allowed by its configuration
  • only additionally nextbox-daemon has an open port, which strictly filters requests by the incoming ip, so even if it would be accidentally exposed (port-forwarded) the attack surface is minimal (we are already considering moving this to a unix-socket)
  • no other component/service/server is running on the NextBox (feel free to throw nmap on it), this means the attack surface is as minimal as possible

So overall, as always there is room for an even higher security, but I would consider this a fairly high security standard, (self-)hardening setup. Clearly the Nextcloud login procedure is a weak point, but this is up to you and 2FA for private data using e.g., a Nitrokey FIDO2 will ensure that even the login is on a high security level.

Thanks for making us aware of this release(-set), which was exactly the one we were waiting for. This means we can now update to at least 21.0.6 without hitting the (for us) critical bug: Fresh installation redirects to http://index.php/apps/dashboard/ (host missing) · Issue #27575 · nextcloud/server · GitHub

As always, this is not really happening in the right moment :wink: We are currently testing the next release addressing important remote access and certification renewal issues as reported in other threads: Nextbox lokal unbrauchbar? - #8 by moapp, Yet another IPv6/reachability issue - #2 by daringer, No automatic renewal of Let's Encrypt certificate - #17 by f0x

I hope that this will be released soon™, there are quite elementary mechanisms which are updated here and we would like to not mix that with a (updated) Nextcloud release … So once this release is out, we’ll directly start testing an “only Nextcloud update” release and deploy this asap … currently my impression is that we’ll directly jump onto the Nextcloud version 22.2.2 (which was also already released), if testing shows no blockers…

best

1 Like