extra hardening?
jerabaul29 opened this issue · 3 comments
Are there any additional steps users can take to extra harden their nextox that are not enabled by default? Should there be a list of such possible hardening measures? There are at least a few nextcloud featured apps that can help:
- Two-Factor TOTP provider
- Hardening Password policy
- Impersonate (to be able to help users if they lock themselves out)
- Brute-Force settings hardening
- Antivirus for files
- GeoBlocker
Anything more? And any additional hardening of the RPi and its OS by themselves? Is UFW enabled for example? Anything more that would be doable?
nope, haven't been looking into extra hardening, yet. But happily added this issue and its first hints as a documentation todo to make this available for more ppl.
Overall we will mainly focus on Nextcloud settings/configuration and apps to approach this target. Unfortunately, we have to draw lines in terms of scope for especially the documentation, otherwise it will end up as a linux-handbook 🤓
Sounds good :) .
I think it would make sense to harden the Linux distro the RPi is running as much as possible 'from factory'. Some of the steps (like UFW with a default restrictive policy that is just enough for HTTP, HTTPs, SSH) would make quite a difference but still be very little work (just a tiny bit of auto install and config) I guess? :) .
About hardening external connections especially SSH, a few possible directions:
- is there some rate limiting / IP blacklisting in case of failed login?
- documenting how to change SSH port from default 22
- adding a button to enable port knocking to open the SSH port for connecting