Make sure your backups are solid and can’t be deleted or altered.
In addition to normal backups, something like zfs snapshots also help and make it easier to restore if needed.
I think I remember seeing a nextcloud plugin that detects mass changes to a lot of files (like ransomware would cause). Maybe something like that would help?
Also enforce good passwords.
Do you have anything exposed to the internet that also has access to either nextcloud or the server it’s running on? If so, lock that down as much as possible too.
Fail2ban or similar would help against brute force attacks.
The VM you’re running nextcloud on should be as isolated as you can comfortably make it. E.g. if you have a camera/iot vlan, don’t let the VM talk to it. Don’t let it initiate outbound connections to any of your devices, etc
You can’t entirely protect against zero day vulnerabilities, but you can do a lot to limit the risk and blast radius.
The solution for me is that I run Nextcloud on a Kubernetes cluster and pin a container version. Then every few months I update that version in my deployment yaml to the latest one I want to run, and run kubectl apply -f nextcloud.yml and it just does its thing. Never given me any real trouble.
Well… no… I have been self hosting it for several years over multiple major versions now. Only for Files, Calendar and Deck though. It was a bit hard to set up, but reading the general Apache and PHP documentation helped a lot.
I’ve also gone down that rabbit hole and found Vivictpp pretty good. It allows you to play two videos so you can swipe between them like imgsli you mentioned.
There’s a whole range measurements trying to approximate quality differences between a video source and encode. PSNR, SSIM, VMAF, MS-SSIM
All of them with some strong areas and tricks you can use to cheat them.
The problem child for me right now is a game built in node.js that I’m trying to host/fix. It’s lagging at random with very little reason, crashing in new and interesting ways every day, and resisting almost all attempts at instrumentation & debugging. To the point most things in DevTools just lock it up full stop. And it’s not compatible with most APMs because most of the traffic occurs over websockets. (I had Datadog working, but all it was saying was most of the CPU time is being spent on garbage collection at the time things go wonky–couldn’t get it narrowed down, and I’ve tried many different GC settings that ultimately didn’t help)
I haven’t had any major problems with Nextcloud lately, despite the fragile way in which I’ve installed it at work (Nextcloud and MariaDB both in Kubernetes). It occasionally gets stuck in maintenance mode after an update, because I’m not giving it enough time to run the update and it restarts the container and I haven’t given enough thought to what it’d take to increase that time. That’s about it. Early on I did have a little trouble maintaining it because of some problems with the storage, or the database container deciding to start over and wipe the volume, but nothing my backups couldn’t handle.
I have a hell of a time getting the email to stay working, but that’s not necessarily a Nextcloud problem, that’s a Microsoft being weird about email problem (according to them it is time to let go of ancient apps that cannot handle oauth2–Nextcloud emailer doesn’t support this, same with several other applications we’re running, so we have to do some weird email proxy stuff)
I am not surprised to hear some of the stories in this thread, though. Nextcloud’s doing a lot of stuff. Lots of failure points.
All the measures you listed amount to nothing against a zero day remote exploit. They bypass the normal authentication process.
If you’re not able to use a VPN then use a IAM layer, which requires you to login through another method. You can use a dedicated app like Authelia/Authentik in front of the reverse proxy, or if you use nginx as reverse proxy you also have to option of using the vouch-proxy plugin.
selfhosted
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.