Image Credit: Garrett LeSage
https://flic.kr/p/iYxHLh
Security is the biggest strength of Nextcloud and the new release continues our track record of introducing new, innovative technologies to protect Nextcloud servers. In Nextcloud 12, a number of improvements for Bruteforce Protection were made and we introduced Rate Limiting as an option for app developers to make it harder to spam users on Nextcloud servers. This article will explain these new protections and help developers who work on Nextcloud apps to support them in their applications.
Nextcloud 11 introduced better password handling, CSP 3.0 and Same-site Cookies support improvements and expanded brute force protection. In Nextcloud 12, Bruteforce Protection can now be used by application developers to improve the protection of their application.
New in Nextcloud 12 is Rate Limiting. Rate Limiting can help protect servers from getting overloaded by broken apps and from users downloading too much data too quickly.
Brute Force Protection is meant to protect Nextcloud servers from attempts to guess user passwords in various ways. Besides the obvious “let’s try a big list of commonly used passwords” attack, it also makes it harder to use slightly more sophisticated attacks via the reset password form or trying to find app password tokens.
If triggered, brute force protection makes requests coming from an IP on a bruteforce protected controller with the same action slower and slower for a 24 hour period. The slow-down is up to 1 minute, slowly ramping up with increasing numbers of retries. One minute might not be much but slowing down retries from hundreds of times per second to 60 per hour effectively negates the danger of most brute force attempts. Triggers to the Brute Force Protection mechanism are stored in the database and result in a log entry so the admin can keep an eye on attempts at break in through brute force attacks.
Bruteforce protection can now be used by controllers of any app in a very easy way by adding an Annotation on a controller.
@BruteForceProtection(action=string)
string is the name of the action. Such as login or reset. Brute-force attempts are on a per-action basis; this means if a violation for the login action is triggered, other actions such as reset or foobar are not affected.
The throttle() method has to be called on the response in case of a violation. Doing so will increase the throttle counter and make following requests slower.
Find more details and an example controller method in the documentation.
Rate Limiting is a new security capability in Nextcloud 12. It allows a developer to specify how often an IP range or a user may send a request in a specific time period. This can be useful for expensive API calls, to prevent users from accessing too much data in a smaller attempt of time or harden bruteforce stuff further.
Rate limiting is currently only enabled if a memory cache is configured because every request is logged, requiring a potentially very large amount of database writes. Fallback to database may be added in the future, however the load on the database would be significant.
Like with Brute Force Protection, Rate Limiting can be enabled by adding Annotations to the controller:
@UserRateThrottle(limit=int, period=int) The rate limiting that is applied to logged-in users. If not specified Nextcloud will fallback to AnonUserRateThrottle.
@AnonRateThrottle(limit=int, period=int) The rate limiting that is applied to guests.
Rate limiting is only applied to the current controller method. So if the rate limit for one method is reached only the controller method will deliver a 429 status code.
More details and example code can be found in the documentation.
On Github, see a real life example on how rate limiting can be easily applied: Nextcloud Server pull request 4434.
As the above pull request shows, Rate Limiting and Brute Force Protection have been applied in the core Nextcloud code. We call on app developers to follow that example and implement these extra protections in their applications, making it even harder for adversaries to break the security of Nextcloud systems!
Nextcloud CEO Frank Karlitschek wins the European Open Source Award for Business & Impact, highlighting the strength of open source and its community.
Read More
Introducing the ADA engine, Nextcloud’s new data access architecture: Faster file access, lower server load, direct S3 downloads, and more.
Read More
Looking for a sovereign Microsoft Office alternative? Learn how Nextcloud puts you back in control of your data and online collaboration.
Read More
Join us on 18 February for Nextcloud’s latest release and see what the future of your digital workspace looks like!
Read More
The first ethical, open-source AI assistant that can get a multitude of tasks done for you without compromising your data.
Read More
How do you modernize digital collaboration in government without losing control over your data? Austria’s Federal Ministry for Economy, Energy and Tourism (BMWET) faced this challenge in 2024 - and decided to take a clear, pragmatic step toward digital sovereignty.
Read More
Nextcloud Hub 25 Autumn makes it easier to get started with powerful collaboration while fully in control of your data. From global design updates to improved usability and performance, discover our latest release in this blog.
Read More
Nextcloud has published its first Digital Sovereignty Index (DSI) to showcase the status of digital sovereign infrastructure.
Read More
Passionate about data privacy and Nextcloud? We invite you speak at the Nextcloud Community Conference to share your experience, knowledge and news with the community!
Read More
Discover the Microsoft 365 alternative by Nextcloud and IONOS: the Nextcloud Workspace office suite, launching in the course of 2025.
Read More
Nextcloud becomes the first cloud software platform to earn the Blauer Engel ecolabel, proving that digitally sovereign and green IT is possible.
Read More
For the ninth time, Nextcloud has been nominated for the CloudComputing-Insider Readers’ Choice Award in the category of Cloud Content Management. We’d love to reach the top again! And we’re looking for the support of you and everyone else in our amazing community to get there. Nextcloud as the best Cloud Content Management tool? Only […]
Read More
In the Nextcloud 2024 wrap-up, we want to take a moment to celebrate this year's achievements. Join us as we continue to reimagine what’s possible - shaping a world where open source, privacy and connection come together and drive progress for the greater good.
Read More
Organisations, small and large, need a way to ensure the resiliency and digital sovereignty of their operations – an open-source, privacy-respecting alternative to Teams. And today, we present that solution - Nextcloud Talk.
Read More
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Read More
Nextcloud has been awarded Platinum at the IT Awards 2024. Today, we celebrate this win together!
Read More
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
Read More
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
Read More
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Read More
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Read More
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Read More
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
Read More
Nextcloud founder and CEO Frank Karlitschek earns the honorary SFS Award at the 20th annual SFSCON taking place in South Tyrol, Italy.
Read More
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Read More
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Read More
Our mission is to help individuals, businesses and organizations achieve digital sovereignty and regain control over their data. Nextcloud Hub 5 marks a massive step forward towards achieving this mission, putting the power of AI into your hands – in a way that keeps you in control. New release, new possibilities Hub 5 builds on […]
Read More
Nextcloud has been officially recognized by the Digital Public Goods Alliance (DPGA), underscoring its long-standing commitment to open source, privacy, and data control.
Read More