I have had a NextCloud up & running for a few weeks thus far and haven’t had any problems. The reason I can’t just connect to it via vpn is that I want to share links of files with other people. I always keep the system up to date and I think I configured nginx correctly. I have blocked all requests to ports other than 80 and 443, but the firewall is still not the best right now: someone can send many requests in a short timeframe. I have also used tools like pentest-tools.com and some others, but those say that there are no major vulnerabilities. I also keep track of logs with a tool called logwatch. Any tips and tricks or resources (articles, videos, etc) would be much appreciated. Or maybe you want to know more about my setup. I know that NextCloud can be really secure if everything is done right!
Unless you need random public access, move the ports to something other than 80/443 to high ports above 10k or so. That will cut random internet scans down considerably as most are just basic connection scans to common ports. It doesn’t stop everything, but your logs will thank me. Security by obscurity is just a parlor trick, but it has its uses.
If you don’t want to do that, you can still limit connections with something like Suricata. It absolutely is an extra step and is another point of failure.
For your firewall, limit what it responds to if you haven’t already. You can have conditions where it may respond with an ICMP destination unreachable when a scanner says “hi” to a closed port. This is good in normal circumstances inside of a network, but the open internet is not a normal place.
Moving traffic to weird ports and hampering ICMP may introduce weird problems in itself, but nothing that would be completely fatal to a connection. (Web browsers and other apps will walk up through high ports for response ingress. In some cases, this could cause an issue when using high ports for new connections. It really depends on the firewall and its configs.)
But, feel free to keep raw-dogging the open internet. All software is super secure until it isn’t, and that sucks.