From 219867f1d065de62c6e0eacabbe28e274ebb12ed Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 10:06:25 +0200 Subject: [PATCH 1/8] Update harden_server.rst add fields to be submitted to Nextcloud servers Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 35 +++++++++++++++------ 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 37b05e147..1802d4b71 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,20 +236,35 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require connecting to remote servers. Depending on -your server setup, these are the possible connections: +Some Nextcloud functionalites require connecting to remote servers. +This pragraph also outlines the data which is transmitted to the Nextcloud GmbH. +Depending on your server setup, these are the possible connections: - www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection -- cloud.nextcloud.com (https) for validating the enterprise subscription -- updates.nextcloud.com (https) for Nextcloud server updates -- push-notifications.nextcloud.com (https) for sending push notifications to mobile clients -- pushfeed.nextcloud.com (https) for the Nextcloud announcements app -- lookup.nextcloud.com (https) for updating and lookups to the federated sharing addressbook -- surveyserver.nextcloud.com (https) if the admin has agreed to share anonymized data -- apps.nextcloud.com (https) for available apps and their updates -- github.com (https) for downloading Nextcloud standard apps +- cloud.nextcloud.com (https) + - used for enterprise license monitoring + - submitted data: subscription key, user count +- updates.nextcloud.com (https) + - to check for available Nextcloud server updates + - submitted data: server version, subscription key, install time, instance id, instance size +- apps.nextcloud.com (https) + - to check for available apps and their updates + - submitted data: subscription key +- github.com (https) + - to download Nextcloud standard apps +- push-notifications.nextcloud.com (https) + - sending push notifications to mobile clients + - submitted data: unique device identifier, pblic key, push token +- pushfeed.nextcloud.com (https) + - for the Nextcloud announcements app +- lookup.nextcloud.com (https) + - for updating and lookups to the federated sharing addressbook +- surveyserver.nextcloud.com (https) + - if the admin has agreed to share anonymized server data + - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing + Setup fail2ban -------------- From 19342c0b8df6d07fb5171618de84af26d5f3abfa Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 10:28:40 +0200 Subject: [PATCH 2/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 1802d4b71..d637b2f44 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,8 +236,8 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require connecting to remote servers. -This pragraph also outlines the data which is transmitted to the Nextcloud GmbH. +Some Nextcloud functionalites require the server to connect to remote servers. +This pragraph includes the data which is transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: - www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection @@ -256,9 +256,10 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, pblic key, push token - pushfeed.nextcloud.com (https) - - for the Nextcloud announcements app + - checking for updates to be shown in the Nextcloud announcements app - lookup.nextcloud.com (https) - for updating and lookups to the federated sharing addressbook + - submitted data: *pending* - surveyserver.nextcloud.com (https) - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps From f4b2b2a25162420355c4529dfcedf5123c22170e Mon Sep 17 00:00:00 2001 From: Rello Date: Thu, 16 May 2024 14:28:45 +0200 Subject: [PATCH 3/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index d637b2f44..397f5a0d5 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -256,11 +256,14 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, pblic key, push token - pushfeed.nextcloud.com (https) - - checking for updates to be shown in the Nextcloud announcements app + - optional + - checking for updates to be shown in the Nextcloud Announcements app - lookup.nextcloud.com (https) + - optional - for updating and lookups to the federated sharing addressbook - submitted data: *pending* - surveyserver.nextcloud.com (https) + - optional - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing From 0b0cb86c7a2a27fe8bf18ae55f5da94cbdb10f9a Mon Sep 17 00:00:00 2001 From: Bastian Derigs <155444921+derigs@users.noreply.github.com> Date: Thu, 16 May 2024 15:17:55 +0200 Subject: [PATCH 4/8] Update harden_server.rst Signed-off-by: Bastian Derigs <155444921+derigs@users.noreply.github.com> --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index 397f5a0d5..bf8c20691 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -254,7 +254,7 @@ Depending on your server setup, these are the possible connections: - to download Nextcloud standard apps - push-notifications.nextcloud.com (https) - sending push notifications to mobile clients - - submitted data: unique device identifier, pblic key, push token + - submitted data: unique device identifier, public key, push token - pushfeed.nextcloud.com (https) - optional - checking for updates to be shown in the Nextcloud Announcements app From ce4a1a0af0d95164a15ff47ea82bf5b63065973d Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 09:52:02 +0200 Subject: [PATCH 5/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 30 ++++++++++++--------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index bf8c20691..ddad63af5 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,38 +236,42 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require the server to connect to remote servers. -This pragraph includes the data which is transmitted to the Nextcloud GmbH. +Some Nextcloud functionalites require the server to be able to connect remote servers via https/:443. +This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: -- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection -- cloud.nextcloud.com (https) +- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org + - for checking the internet connection + - `optional (config)`_ +- cloud.nextcloud.com - used for enterprise license monitoring - submitted data: subscription key, user count -- updates.nextcloud.com (https) +- updates.nextcloud.com - to check for available Nextcloud server updates - submitted data: server version, subscription key, install time, instance id, instance size -- apps.nextcloud.com (https) +- apps.nextcloud.com - to check for available apps and their updates - submitted data: subscription key -- github.com (https) +- github.com - to download Nextcloud standard apps -- push-notifications.nextcloud.com (https) +- push-notifications.nextcloud.com - sending push notifications to mobile clients - submitted data: unique device identifier, public key, push token -- pushfeed.nextcloud.com (https) - - optional +- pushfeed.nextcloud.com - checking for updates to be shown in the Nextcloud Announcements app -- lookup.nextcloud.com (https) - optional +- lookup.nextcloud.com - for updating and lookups to the federated sharing addressbook - - submitted data: *pending* -- surveyserver.nextcloud.com (https) - optional + - submitted data: *pending* +- surveyserver.nextcloud.com - if the admin has agreed to share anonymized server data + - optional - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing +.. _optional (config): https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#has-internet-connection + Setup fail2ban -------------- From af3c0ecc56396aba538de70a94de1156259fd829 Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 09:55:59 +0200 Subject: [PATCH 6/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index ddad63af5..cb93991ad 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -236,7 +236,7 @@ security headers are shipped. Connections to remote servers ----------------------------- -Some Nextcloud functionalites require the server to be able to connect remote servers via https/:443. +Some functionalites require the Nextcloud server to be able to connect remote systems via https/443. This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: From f926534f95aa679182783570fd4fbfdf41e69494 Mon Sep 17 00:00:00 2001 From: Bastian Derigs <155444921+derigs@users.noreply.github.com> Date: Fri, 17 May 2024 11:23:02 +0200 Subject: [PATCH 7/8] Update harden_server.rst Signed-off-by: Bastian Derigs <155444921+derigs@users.noreply.github.com> --- admin_manual/installation/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index cb93991ad..bba803184 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -240,7 +240,7 @@ Some functionalites require the Nextcloud server to be able to connect remote sy This pragraph also includes the data which is being transmitted to the Nextcloud GmbH. Depending on your server setup, these are the possible connections: -- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org +- nextcloud.com, startpage.com, eff.org, edri.org - for checking the internet connection - `optional (config)`_ - cloud.nextcloud.com From 0e62fbc0b4b96060ed13f87bcbd3f03986801e42 Mon Sep 17 00:00:00 2001 From: Rello Date: Fri, 17 May 2024 12:58:37 +0200 Subject: [PATCH 8/8] Update harden_server.rst Signed-off-by: Rello --- admin_manual/installation/harden_server.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index bba803184..8b9f331c2 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -241,8 +241,8 @@ This pragraph also includes the data which is being transmitted to the Nextcloud Depending on your server setup, these are the possible connections: - nextcloud.com, startpage.com, eff.org, edri.org - - for checking the internet connection - `optional (config)`_ + - for checking the internet connection - cloud.nextcloud.com - used for enterprise license monitoring - submitted data: subscription key, user count @@ -258,15 +258,15 @@ Depending on your server setup, these are the possible connections: - sending push notifications to mobile clients - submitted data: unique device identifier, public key, push token - pushfeed.nextcloud.com + - optional - checking for updates to be shown in the Nextcloud Announcements app - - optional - lookup.nextcloud.com - - for updating and lookups to the federated sharing addressbook - optional + - for updating and lookups to the federated sharing addressbook - submitted data: *pending* - surveyserver.nextcloud.com - - if the admin has agreed to share anonymized server data - optional + - if the admin has agreed to share anonymized server data - submitted data: instance id, server versions (incl. php & db), installed apps - Any remote Nextcloud server that is connected with federated sharing