You really do not want anyone from the internet to be able to access you Nextcloud admin account. A strong password is good, but not good enough. 2FA can help, but I wanted to take absolutely no chances.
So I started looking for a solution to restrict admin access to my LAN. If you break into my LAN, I will be f***ed anyway, so this will be as good as it gets ...
I found a solution on the web (copied all over the place in different forums) employing mod_rewrite. Well, it works, but after I had implemented it, I did not like the flaw this solution has: since mod_rewrite cannot read the request data of the post request that resembles the login attempt, it acts on cookies instead, meaning that the login itself will still be executed and a good hacker may intercept the authentication token and use it in some other way. I do not have a proof of concept for a hack, but do not like the idea.
So I looked at mod_security, and felt much better: it can look at post data. I now intercept login requests from admin, and reject them if the remote address is not on my LAN. The relevant portion of the Apache configuration file looks like this:
SecRequestBodyAccess On
SecRule REQUEST_URI "@endsWith /login" \
"phase:2,id:50001,deny,status:401,msg:'Admin login blocked.',chain"
SecRule REQUEST_METHOD "POST" "chain"
SecRule REMOTE_ADDR "!@ipMatch 192.168.1.0/24" "chain"
SecRule REQUEST_BODY "@contains user=admin"
Now I feel much better😀
It would be nice though, if Nextcloud offered an option like this. There is a Nextcloud app (called "Restrict login to IP addresses") that can restrict access to certain IPs and IP ranges, but it does not distinguish by account, so it is no solution for my scenario.
No comments:
Post a Comment