From a374fc7f43e198c61f71d04e7ceec28f2ae05193 Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 10:06:25 +0200 Subject: [PATCH 1/8] Update harden_server.rst add fields to be submitted to Nextcloud servers Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 35 +++++++++++++++------ 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index c9e2c86b0..ccaff6dc4 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,20 +236,35 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require connecting to remote servers. Depending on -your server setup, these are the possible connections: +Some Nextcloud functionalites require connecting to remote servers. +This pragraph also outlines the data which is transmitted to the Nextcloud GmbH. +Depending on your server setup, these are the possible connections: - www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection -- cloud.nextcloud.com (https) for validating the enterprise subscription -- updates.nextcloud.com (https) for Nextcloud server updates -- push-notifications.nextcloud.com (https) for sending push notifications to mobile clients -- pushfeed.nextcloud.com (https) for the Nextcloud announcements app -- lookup.nextcloud.com (https) for updating and lookups to the federated sharing addressbook -- surveyserver.nextcloud.com (https) if the admin has agreed to share anonymized data -- apps.nextcloud.com (https) for available apps and their updates -- github.com (https) for downloading Nextcloud standard apps +- cloud.nextcloud.com (https) + - used for enterprise license monitoring + - submitted data: subscription key, user count +- updates.nextcloud.com (https) + - to check for available Nextcloud server updates + - submitted data: server version, subscription key, install time, instance id, instance size +- apps.nextcloud.com (https) + - to check for available apps and their updates + - submitted data: subscription key +- github.com (https) + - to download Nextcloud standard apps +- push-notifications.nextcloud.com (https) + - sending push notifications to mobile clients + - submitted data: unique device identifier, pblic key, push token +- pushfeed.nextcloud.com (https) + - for the Nextcloud announcements app +- lookup.nextcloud.com (https) + - for updating and lookups to the federated sharing addressbook +- surveyserver.nextcloud.com (https) + - if the admin has agreed to share anonymized server data + - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing + Setup fail2ban -------------- From ce850f6110a435851500c397255428f6b5ae08bd Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 10:28:40 +0200 Subject: [PATCH 2/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index ccaff6dc4..f03e9400f 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,8 +236,8 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require connecting to remote servers. -This pragraph also outlines the data which is transmitted to the Nextcloud GmbH. +Some Nextcloud functionalites require the server to connect to remote servers. +This pragraph includes the data which is transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: - www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection @@ -256,9 +256,10 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, pblic key, push token - pushfeed.nextcloud.com (https) - - for the Nextcloud announcements app + - checking for updates to be shown in the Nextcloud announcements app - lookup.nextcloud.com (https) - for updating and lookups to the federated sharing addressbook + - submitted data: *pending* - surveyserver.nextcloud.com (https) - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps From 28dd7bb5898e76854daeb81e93c07b5876ca5ecf Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 14:28:45 +0200 Subject: [PATCH 3/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index f03e9400f..7270af979 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -256,11 +256,14 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, pblic key, push token - pushfeed.nextcloud.com (https) - - checking for updates to be shown in the Nextcloud announcements app + - optional + - checking for updates to be shown in the Nextcloud Announcements app - lookup.nextcloud.com (https) + - optional - for updating and lookups to the federated sharing addressbook - submitted data: *pending* - surveyserver.nextcloud.com (https) + - optional - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing From 04c0d53369ce8454bd907d540c4e291c8455d5ec Mon Sep 17 00:00:00 2001 From: Bastian Derigs <155444921+derigs@users.noreply.github.com> Date: Thu, 16 May 2024 15:17:55 +0200 Subject: [PATCH 4/8] Update harden_server.rst Signed-off-by: Bastian Derigs <155444921+derigs@users.noreply.github.com> --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 7270af979..17aa81704 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -254,7 +254,7 @@ Depending on your server setup, these are the possible connections: - to download Nextcloud standard apps - push-notifications.nextcloud.com (https) - sending push notifications to mobile clients - - submitted data: unique device identifier, pblic key, push token + - submitted data: unique device identifier, public key, push token - pushfeed.nextcloud.com (https) - optional - checking for updates to be shown in the Nextcloud Announcements app From 3f0641430f1a305b2111585d2bee3b0459f9ae96 Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 09:52:02 +0200 Subject: [PATCH 5/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 30 ++++++++++++--------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 17aa81704..744e6b544 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,38 +236,42 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require the server to connect to remote servers. -This pragraph includes the data which is transmitted to the Nextcloud GmbH. +Some Nextcloud functionalites require the server to be able to connect remote servers via https/:443. +This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: -- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection -- cloud.nextcloud.com (https) +- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org + - for checking the internet connection + - `optional (config)`_ +- cloud.nextcloud.com - used for enterprise license monitoring - submitted data: subscription key, user count -- updates.nextcloud.com (https) +- updates.nextcloud.com - to check for available Nextcloud server updates - submitted data: server version, subscription key, install time, instance id, instance size -- apps.nextcloud.com (https) +- apps.nextcloud.com - to check for available apps and their updates - submitted data: subscription key -- github.com (https) +- github.com - to download Nextcloud standard apps -- push-notifications.nextcloud.com (https) +- push-notifications.nextcloud.com - sending push notifications to mobile clients - submitted data: unique device identifier, public key, push token -- pushfeed.nextcloud.com (https) - - optional +- pushfeed.nextcloud.com - checking for updates to be shown in the Nextcloud Announcements app -- lookup.nextcloud.com (https) - optional +- lookup.nextcloud.com - for updating and lookups to the federated sharing addressbook - - submitted data: *pending* -- surveyserver.nextcloud.com (https) - optional + - submitted data: *pending* +- surveyserver.nextcloud.com - if the admin has agreed to share anonymized server data + - optional - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing +.. _optional (config): https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#has-internet-connection + Setup fail2ban -------------- From d7389b9de9da75dd7e4a0167acdc0fba69b330b0 Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 09:55:59 +0200 Subject: [PATCH 6/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 744e6b544..4f4d7ad30 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,7 +236,7 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require the server to be able to connect remote servers via https/:443. +Some functionalites require the Nextcloud server to be able to connect remote systems via https/443. This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: From 8edc6af57919635b086f278aa15550b4759a67a4 Mon Sep 17 00:00:00 2001 From: Bastian Derigs <155444921+derigs@users.noreply.github.com> Date: Fri, 17 May 2024 11:23:02 +0200 Subject: [PATCH 7/8] Update harden_server.rst Signed-off-by: Bastian Derigs <155444921+derigs@users.noreply.github.com> --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 4f4d7ad30..c72d70f03 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -240,7 +240,7 @@ Some functionalites require the Nextcloud server to be able to connect remote sy This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: -- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org +- nextcloud.com, startpage.com, eff.org, edri.org - for checking the internet connection - `optional (config)`_ - cloud.nextcloud.com From 756cff55ece667f69775cfc5fa6e2354ba3b8a7d Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 12:58:37 +0200 Subject: [PATCH 8/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index c72d70f03..39ba80314 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -241,8 +241,8 @@ This pragraph also includes the data which is being transmitted to the Nextcloud Depending on your server setup, these are the possible connections: - nextcloud.com, startpage.com, eff.org, edri.org - - for checking the internet connection - `optional (config)`_ + - for checking the internet connection - cloud.nextcloud.com - used for enterprise license monitoring - submitted data: subscription key, user count @@ -258,15 +258,15 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, public key, push token - pushfeed.nextcloud.com + - optional - checking for updates to be shown in the Nextcloud Announcements app - - optional - lookup.nextcloud.com - - for updating and lookups to the federated sharing addressbook - optional + - for updating and lookups to the federated sharing addressbook - submitted data: *pending* - surveyserver.nextcloud.com - - if the admin has agreed to share anonymized server data - optional + - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing