Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




16114 posts

Uber Geek

Trusted
Subscriber

#272391 23-Jun-2020 12:53
Send private message quote this post

I've set up NextCloud on a R.Pi on my home network. Using Fritzbox Port Sharing I could expose this machine / service to the internet. Of course that means if someone compromises NextCloud / Raspbian they're on my home network, and while things are somewhat protected at home it's a trusted network and I haven't really secured it.

 

My gut says "don't do it" and to have it on the LAN only, and use a VPN from devices to home for syncing. I already have the VPN set up, so not a huge deal for me, and TBH these days we don't leave the house all that much anyway.

 

I want this for sharing small files between phones and computers that are updated occasionally. I use Dropbox but their 3 device limit is annoying, Resilio Sync is fine but having a server is convenient.

 

Thoughts?


Create new topic
4894 posts

Uber Geek

Trusted

  #2510489 23-Jun-2020 13:43
Send private message quote this post

I have mine done.  It's got better security that some apps.   I was wondering about putting it behind cloudflare access, or I could force it to be local only and use a vpn.... I'm undecided.

 

I pulled all my crap out of dropbox and google drive to put it local.

 

 





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


4894 posts

Uber Geek

Trusted

  #2510491 23-Jun-2020 13:45
Send private message quote this post

Also, you can actually run two "accounts" of the server.  One being it's external address, and another the internal.  That's kind of useful for devices that will never leave the house.

 

 

 

I do this with reverse proxying (in caddy) I have cloud.domain.com for external access, and I also use clould.internal.domain.com for internal.

 

 





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


 
 
 
 




16114 posts

Uber Geek

Trusted
Subscriber

  #2510550 23-Jun-2020 14:34
Send private message quote this post

I would run CloudFlare in front of it as that's how I do my DNS, but I'd need to use iptables to whitelist local addresses and CloudFlare IPs. Probably easy enough. That would mitigate many issues, but means it's more difficult to use on mobile, from work, etc. Probably defeats the purpose of it.

 

I think I'll start with VPN / LAN access and see if I like it. Right now I want to do something I thought would be fairly basic - share a folder with a number of devices / people, myself and my wife. I created a user for each of my devices, but maybe I just need to use one user per person, but that probably doesn't solve the problem entirely. Group Folders won't sync in Windows, and I can't work out how to do folder shares otherwise. Maybe I'll end up trashing it and using BitTorrent / Resilio Sync instead.


/dev/null
9403 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2510568 23-Jun-2020 14:56
Send private message quote this post

I've got a script for the Cloudflare stuff:

 

#!/bin/sh

 

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

 

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https comment "Cloudflare IPv4"; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https comment "Cloudflare IPv6"; done

 


ufw reload > /dev/null

 

Run it via cron nightly:

 

0 0 * * 1 bash /root/cloudflare-ufw/cloudflare-ufw.sh > /dev/null 2>&1

 

But that is what I have personally done with Nextcloud along with using Authenticated Origin Pulls and a Cloudflare Origin certificate.





4894 posts

Uber Geek

Trusted

  #2510679 23-Jun-2020 17:32
Send private message quote this post

What does it do Michael?

Also with cloudflare you can restrict access through as well.

I want to work out fail2ban on Nextcloud I had it on my ssh, but then I put in a few rule to restrict to just work and all my fail2bans dried up as it wasn’t open.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


4894 posts

Uber Geek

Trusted

  #2510680 23-Jun-2020 17:34
Send private message quote this post

timmmay:

I would run CloudFlare in front of it as that's how I do my DNS, but I'd need to use iptables to whitelist local addresses and CloudFlare IPs. Probably easy enough. That would mitigate many issues, but means it's more difficult to use on mobile, from work, etc. Probably defeats the purpose of it.


I think I'll start with VPN / LAN access and see if I like it. Right now I want to do something I thought would be fairly basic - share a folder with a number of devices / people, myself and my wife. I created a user for each of my devices, but maybe I just need to use one user per person, but that probably doesn't solve the problem entirely. Group Folders won't sync in Windows, and I can't work out how to do folder shares otherwise. Maybe I'll end up trashing it and using BitTorrent / Resilio Sync instead.



But if your local address lea don’t go out through the internet (ie the 2 reverse proxies I have then it’s only the external ups that are white listed). Much smaller list is good.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




16114 posts

Uber Geek

Trusted
Subscriber

  #2510875 23-Jun-2020 20:06
Send private message quote this post

I use CloudFlare's free plan with my AWS server. It's basically DNS and a cache, but your host is still on the internet, so random port scans will find it. The only way to tighten that up is with firewalls - I use security groups on AWS, but on a standard Linux host you use IP Tables.

 

CloudFlare do have a paid option that basically means your server isn't on the internet directly, it's a private connection to them and then from there onto the internet. But I don't need that.

 

Michael's script takes the CloudFlare IP list and adds it to the Linux firewall each night. I don't bother with that on AWS, I did it once and the IPs haven't changed as far as I can tell - CloudFlare free doesn't give you much in the way of error logging so you can't see if some of their IP ranges can't connect.


 
 
 
 


/dev/null
9403 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2510923 23-Jun-2020 20:27
Send private message quote this post

I’ve had IP addresses change with Cloudflare, and stuff break. I’d rather mitigate the risk with just running the script nightly.

Script uses UFW which is essentially an iptables wrapper. It is easier to maintain.

If you have authenticated origin pulls enabled it forces traffic to go via Cloudflare. Just an extra security layer.






16114 posts

Uber Geek

Trusted
Subscriber

  #2510986 23-Jun-2020 20:45
Send private message quote this post

Yeah, useful to have. I should really do the same with AWS and security groups. I found a lambda to do it, so I might go install it now.

 

Update - lambda didn't work well. I did a manual check and the CloudFlare IPs don't appear to have changed in years. They have massive amounts of IP space, a /12, /13, /15. That'd be expensive to buy, actually just about impossible to buy now.


322 posts

Ultimate Geek


  #2512546 25-Jun-2020 23:59
Send private message quote this post

I've setup a VPN and now I'm always at home even on the move. It's handy for many things other than just NextCloud and I'm rather happy with WireGuard from a security standpoint.




16114 posts

Uber Geek

Trusted
Subscriber

  #2512555 26-Jun-2020 06:54
Send private message quote this post

I dumped NextCloud as it isn't really what I needed. Main use case is I need my KeePass passwords on multiple devices and Dropbox limits device numbers. Solution I'm currently trialing is BackBlaze B2 with GoodSync on PC and FolderSync on Android (both have free versions that are good enough for me), and so far it's working well. I was going to use AWS but B2 is cheaper and the free tier is likely to do what I need.


4894 posts

Uber Geek

Trusted

  #2512559 26-Jun-2020 07:17
Send private message quote this post

timmmay:

 

I dumped NextCloud as it isn't really what I needed. Main use case is I need my KeePass passwords on multiple devices and Dropbox limits device numbers. Solution I'm currently trialing is BackBlaze B2 with GoodSync on PC and FolderSync on Android (both have free versions that are good enough for me), and so far it's working well. I was going to use AWS but B2 is cheaper and the free tier is likely to do what I need.

 

 

I use next cloud for that.  With keepassium.  But I'm not using the nextcloud file browser (in ios files), just open the file with a webdav url instead it works perfectly.

 

Once I had that workingm, the i started moving things I had spread across dropbox and google drive. Really happy with it.  I have a script that runs that calls a file scan if something is introduced outside of nextcloud/

 

 





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




16114 posts

Uber Geek

Trusted
Subscriber

  #2512561 26-Jun-2020 07:41
Send private message quote this post

I just found the NextCloud clients to be missing key features. Happy to use B2 as a file server, I trust BackBlaze and it saves running and maintaining the Pi. Plus I only put encrypted or non-critical data up there anyway.


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO announces new flash charge technologies
Posted 16-Jul-2020 08:17


Soul Machines joins forces with the World Health Organization
Posted 13-Jul-2020 18:00


Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.