Nextcloud and the Open Web

Page content

Two evenings ago I played with setting a No-ip host, setup the Swisscom router to make a Pi available in the DMZ so that I could access the apache server and Nextcloud from the open web and it worked. I had it all done within 15-20 minutes. Now for those with the “But why nextcloud?” the answer is simple. It offers two factor authentication and it is trusted by various EU institutions and governments. It is also trusted by Geneva but I don’t remember by whom, at this point.

Multiple Hacks Due to Vulnerable Apps

I have had a website and web presence on the web since 97 or so but in recent years some of my older projects, but also WordPress, were repetitively hacked to the point that I deleted all the old projects that I had on the site because they made my website vulnerable to attack. Several times my website was locked and I had to spend several hours, or even days to restore access. After a few experiences I streamlined recovery, but I also increased security. Now all my accounts have two factor authentication and each site has a different password.

PhotoPrism Unvetted

In theory PhotoPrism would be fun to have on the open web, because I could upload images, and share them more easily. The drawback is that I haven’t RTFMed (Read the fabulous manual) on two factor authentication for PhotoPrism.

WP and NC Two Factor Authentication

WordPress and NextCloud are both designed with the option for two factor authentication so those are the two sites that I have running. For a while I thought “but if I run it through the tailscale VPN that’s good enough for me” and it is. I’m happy to block off full access to these services, so that only I, and those I share these devices with have access but at the same time it’s good to learn and to experiment.

Easier than Expected

I expected that punching a hole through the server would be complicated but it was easy. I intuitively knew what to do without RTFM. I should add that I have spent the last three years studying related topics so “intuitive” means “put in the hours”.

Firewalled

I also set up UFW the morning before attempting this experiment and I tested whether I had SSH access from the World Wide Web. It’s when I saw that I didn’t that I setup two factor authentication. If that wasn’t the case I would have deleted the no-ip address.

The Advantage of the Open Web

The advantage of having the servers on the open web is that I can share links to files more easily when required to do so. It also means that I can backup photos whilst I’m out, without having to log in through the VPN.

The disadvantage is that I need to verify that my setup is secure and I need to spend time checking that SQLi attacks, among others are not possible. I added wordfence for the WordPress install and brute force protection and two factor authentication to NextCloud. Having done these things I still want to do some more research to ensure that the sites are secure on that one server.

The VPN Advantage

The VPN advantage is that I control access and it’s behind security protocols put in place by Tailscale. It should be harder for people to gain malicious access.

And Finally

Now that I have seen how simple it is to make a home server available to the World Wide Web, rather than hidden behind a VPN I might setup a smaller instance with less storage that is setup to back up photos and videos while I’m hiking and walking, but that would be emptied and moved to a more secure instance within my personal network.

Time for more experimentation.