EN · $

Optimize Nextcloud Security on Your VPS: Fail2Ban, 2FA & Audits

Learn how to secure your Nextcloud instance on a VPS with Fail2Ban, two-factor authentication, and regular security audits. Effectively protect your data from unauthorized access.

nextcloudvpssecurityfail2ban2fa

Why Security for Your Nextcloud Instance Is Crucial

Nextcloud is a powerful platform for file synchronization and sharing that runs on your own VPS. But with control over your data comes the responsibility to protect it. Cyberattacks on Nextcloud instances are increasing, so you should act proactively. In this article, we show you three essential measures: Fail2Ban, two-factor authentication (2FA), and regular security audits.

Fail2Ban: Protection Against Brute-Force Attacks

Fail2Ban is a tool that monitors log files and blocks IP addresses after repeated failed login attempts. This protects your Nextcloud from brute-force attacks.

Installation and Configuration

Install Fail2Ban on your VPS with the following command:

  • Debian/Ubuntu: sudo apt install fail2ban
  • CentOS/RHEL: sudo yum install fail2ban

Create a custom jail file for Nextcloud, e.g., /etc/fail2ban/jail.local, with the following content:

[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = /var/www/nextcloud/data/nextcloud.log
maxretry = 5
bantime = 3600

Then create the filter /etc/fail2ban/filter.d/nextcloud.conf:

[Definition]
failregex = ^.*"remoteAddr":"".*"user":".*"\}.*
ignoreregex =

Restart Fail2Ban: sudo systemctl restart fail2ban. Check the status with sudo fail2ban-client status nextcloud.

Setting Up Two-Factor Authentication (2FA)

2FA adds a second layer of security so that even if a password is stolen, access is not possible. Nextcloud supports 2FA via apps like Nextcloud Two-Factor TOTP Provider or Nextcloud Two-Factor U2F.

Steps to Activate

  1. Install the app via the Nextcloud App Store (e.g., "Two-Factor TOTP Provider").
  2. Go to personal settings in Nextcloud and select "Security".
  3. Activate the 2FA method (e.g., TOTP) and scan the QR code with an authenticator app like Google Authenticator.
  4. Confirm the entered code to complete the setup.

Tip: Enable 2FA for all users via the Nextcloud configuration by setting the following parameter in config.php: 'twofactor_enforced' => 'true'.

Conduct Regular Security Audits

A security audit helps you identify vulnerabilities early. Perform the following checks regularly:

  • Nextcloud Security Scanner: Use the official Nextcloud Security Scanner to check your instance for known security vulnerabilities.
  • System Updates: Keep your VPS and Nextcloud up to date. Run sudo apt update && sudo apt upgrade regularly.
  • Log Analysis: Monitor log files for suspicious activity. Tools like logwatch can help.
  • Check Permissions: Ensure file and folder permissions are set correctly (sudo chown -R www-data:www-data /var/www/nextcloud).

Schedule audits at regular intervals, e.g., monthly, and document the results.

Additional Tips for a Secure Nextcloud

  • Use HTTPS with a valid SSL certificate (e.g., Let's Encrypt).
  • Restrict access to Nextcloud administration to trusted IPs.
  • Use strong, unique passwords for all users.
  • Secure your VPS environment with a firewall (e.g., UFW).

If you don't have a VPS yet to run Nextcloud, check out our VPS Server offers. We provide optimized solutions for your cloud requirements.