extra hardening?

[jerabaul29]

Are there any additional steps users can take to extra harden their nextox that are not enabled by default? Should there be a list of such possible hardening measures? There are at least a few nextcloud featured apps that can help:

• Two-Factor TOTP provider
• Hardening Password policy
• Impersonate (to be able to help users if they lock themselves out)
• Brute-Force settings hardening
• Antivirus for files
• GeoBlocker

Anything more? And any additional hardening of the RPi and its OS by themselves? Is UFW enabled for example? Anything more that would be doable?

[daringer]

nope, haven't been looking into extra hardening, yet. But happily added this issue and its first hints as a documentation todo to make this available for more ppl.

Overall we will mainly focus on Nextcloud settings/configuration and apps to approach this target. Unfortunately, we have to draw lines in terms of scope for especially the documentation, otherwise it will end up as a linux-handbook 🤓

[jerabaul29]

Sounds good :) .

I think it would make sense to harden the Linux distro the RPi is running as much as possible 'from factory'. Some of the steps (like UFW with a default restrictive policy that is just enough for HTTP, HTTPs, SSH) would make quite a difference but still be very little work (just a tiny bit of auto install and config) I guess? :) .

[jerabaul29]

About hardening external connections especially SSH, a few possible directions:

• is there some rate limiting / IP blacklisting in case of failed login?
• documenting how to change SSH port from default 22
• adding a button to enable port knocking to open the SSH port for connecting