Hardened?

You are using UBOS on a Rasberry Pi. Please state which model you are using, e.g. Zero, Zero W, model 3 or such.
Post Reply
jan-jan
Posts: 9
Joined: Thu Dec 28, 2017 2:52 pm

Hardened?

Post by jan-jan » Thu Dec 28, 2017 3:00 pm

1st: Thank you for UBOS, it is great.

I've used UBOS to setup a nextCloud server. Now, I want to do federation between my local server and a cloud server. This means exposing it to the web. By default to which extent is a UBOS server locked down?

Eg, will it only accept ssh (and installed app specific) connections from the local subnet?

Can I open it to only a specific machine in the cloud? (Other than doing the ip myself, since I want to do it a UBOS compliant way, if there is such a thing.)



j12t
Posts: 110
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Hardened?

Post by j12t » Thu Dec 28, 2017 7:16 pm

Thank you! :-)

UBOS is fairly locked down; of course, this being computers, and humans messing with those computers, there is no guarantee ... however, we have started doing port scans during testing. To test yourself, run nmap from a different device.

What exact ports are open depends on the netconfig you have set (see https://ubos.net/docs/users/networking.html). Our default assumption is that you want to lock down as much as possible to the internet "upstream" and are more lenient on your local network. So for example, if you set netconfig "gateway" on a device with two Ethernet interfaces, only the SSH port and the DHCP-receiving port are open to your ISP, while on the local LAN, HTTP and HTTPS are also open.

If you are running a Raspberry Pi, I assume you probably are on the default "client" netconfig and behind a router/firewall of some sort. How are you planning to expose this to the public internet? Personally I have not run Nextcloud federation, so I don't know what the networking requirements are.

jan-jan
Posts: 9
Joined: Thu Dec 28, 2017 2:52 pm

Re: Hardened?

Post by jan-jan » Thu Dec 28, 2017 8:22 pm

I have not hooked up federation on nextcloud myself. So I'll be your patient zero :-) and share what I learn. (It might also take a while becasuse of time constraints, and me a network setup retard.)

What I was thinking of doing was (like you said) opening

1. dhcp to the isp
2. https, but only to the ip(s) of my nextcloud provider / cloud server (and find out if nextcloud federation needs more ports)

(I'm in two minds about whether I want ssh to be open.)

PS. Based on your approach I am assuming that all of this has been done https://docs.nextcloud.com/server/12/ad ... erver.html

j12t
Posts: 110
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Hardened?

Post by j12t » Fri Dec 29, 2017 7:09 pm

Sounds good. We worked that list down at some point I believe but we don't track it for updates. Please file a bug if you notice something should be different than it is.

Post Reply