Admin account repeatedly disabled for unknown reason

Nextcloud version (eg, 29.0.5): 29.0.1.1
Operating system and version (eg, Ubuntu 29.04): Open Media Vault 7
Apache or nginx version (eg, Apache 2.4.25): Apache packaged with AIO
PHP version (eg, 8.3): replace me

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. Log in to Nextcloud admin account
  2. Leave and come back in an hour
  3. Try to log in again, fail

The output of your Nextcloud log in Admin > Logging:

Is there a way to access this if you can't log in to the admin?

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'appsallowlist' => false,
  'check_data_directory_permissions' => false,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'nextcloud-aio-redis',
    'password' => 'REDACTED',
    'port' => 6379,
  ),
  'overwritehost' => 'REDACTED',
  'overwriteprotocol' => 'https',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED' => 
  array (
    0 => 'localhost',
    1 => 'REDACTED',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'https://REDACTED/',
  'dbname' => 'nextcloud_database',
  'dbhost' => 'nextcloud-aio-database',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_nextcloud',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'default_phone_region' => 'US',
  'instanceid' => 'REDACTED',
  'maintenance' => false,
  'updatedirectory' => '/nc-updater',
  'loglevel' => '2',
  'app_install_overwrite' => 
  array (
    0 => 'nextcloud-aio',
  ),
  'log_type' => 'file',
  'logfile' => '/var/www/html/data/nextcloud.log',
  'log_rotate_size' => '10485760',
  'log.condition' => 
  array (
    'apps' => 
    array (
      0 => 'admin_audit',
    ),
  ),
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'enabledPreviewProviders' => 
  array (
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
    0 => 'OC\\Preview\\Imaginary',
  ),
  'enable_previews' => true,
  'upgrade.disable-web' => true,
  'mail_smtpmode' => 'smtp',
  'trashbin_retention_obligation' => 'auto, 30',
  'versions_retention_obligation' => 'auto, 30',
  'activity_expire_days' => '30',
  'simpleSignUpLink.shown' => false,
  'share_folder' => '/Shared',
  'one-click-instance.link' => 'https://nextcloud.com/all-in-one/',
  'upgrade.cli-upgrade-link' => 'https://github.com/nextcloud/all-in-one/discussions/2726',
  'maintenance_window_start' => 100,
  'allow_local_remote_servers' => true,
  'davstorage.request_timeout' => 3600,
  'htaccess.RewriteBase' => '/',
  'dbpersistent' => false,
  'auth.bruteforce.protection.enabled' => true,
  'ratelimit.protection.enabled' => true,
  'files_external_allow_create_new_local' => true,
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '::1',
    10 => '192.168.240.1/32',
  ),
  'preview_imaginary_url' => 'http://nextcloud-aio-imaginary:9000',
  'preview_imaginary_key' => 'REDACTED',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'REDACTED',
  'mail_domain' => 'gmail.com',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'REDACTED',
  'mail_smtppassword' => 'REDACTED',
);




The output of your Apache/nginx/system log in /var/log/____:

N/A because docker?

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"av9NthjhDDzHWOtjVx7j","level":2,"time":"2024-06-28T13:12:22+00:00","remoteAddr":"192.168.0.1","user":"febb2c01a1cf3c2476ffbe352cedcf5a00e963732ff05a1abb0416000e0de6f7","app":"suspicious_login","method":"GET","url":"/apps/user_oidc/code?code=cb5e4541c2f34c4ba06d63ac93cc7c0b&state=FBUELH7L09NJUJJDSAKNYEZNI219N5IR","message":"Could not predict suspiciousness: No models found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.1.1","data":{"app":"suspicious_login"}}
{"reqId":"1aR7A5nZW4yuPkI4Hy8i","level":2,"time":"2024-06-28T13:19:27+00:00","remoteAddr":"192.168.0.1","user":"admin","app":"suspicious_login","method":"POST","url":"/login","message":"Could not predict suspiciousness: No models found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.1.1","data":{"app":"suspicious_login"}}
{"reqId":"1disJoUpjQoAALowTG3q","level":2,"time":"2024-06-28T16:53:09+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/apps/spreed/api/v3/signaling/settings","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"VTJYQY17sG7rqfwS60SJ","level":2,"time":"2024-06-28T16:53:09+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"Av414tsleGQF5bSZuWxQ","level":2,"time":"2024-06-28T16:53:09+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"O21MHpOP8iWGtxQe1uan","level":2,"time":"2024-06-28T16:53:11+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"oAk0mLxKoBxIyFFGehKg","level":2,"time":"2024-06-28T16:53:11+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"njGHMYptTVNNERcHbedd","level":2,"time":"2024-06-28T16:53:13+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"Kfvwcw72KZYZ7StURsXP","level":2,"time":"2024-06-28T16:53:15+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"TS18BQFH4YiGBZJb0AnC","level":2,"time":"2024-06-28T16:53:20+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"0hZUpvbnfAplt2CqxWnd","level":2,"time":"2024-06-28T16:53:29+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"kBdcDSyMPZNTtLkX4wcQ","level":2,"time":"2024-06-30T04:56:27+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"pZlFNZox0HncF5GB2mAt","level":2,"time":"2024-06-30T04:56:27+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"cE1Bs1ucdDOAdai3EKrN","level":2,"time":"2024-06-30T04:56:28+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"826mqow9N87BzDiC9oEg","level":2,"time":"2024-06-30T04:56:28+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"FBv5rpwABrnGSqogJedW","level":2,"time":"2024-06-30T04:56:31+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"SbqY1ar26lJkza0OpO6c","level":2,"time":"2024-06-30T04:56:31+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"vyaiKNjoOdeElyfxwlpR","level":2,"time":"2024-06-30T04:56:38+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"ywdjOow9SGCejP1gPHIG","level":2,"time":"2024-06-30T04:56:38+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/cloud/capabilities","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}
{"reqId":"qPZ9p0n74LcexIczpq6V","level":2,"time":"2024-06-30T04:57:04+00:00","remoteAddr":"192.168.0.1","user":"--","app":"core","method":"GET","url":"/ocs/v2.php/apps/spreed/api/v3/signaling/settings","message":"Login failed: 'admin' (Remote IP: '192.168.0.1')","userAgent":"Mozilla/5.0 (Android) Nextcloud-Talk v19.0.1","version":"29.0.1.1","data":{"app":"core"}}

From the looks of your logs, you have numerous invalid login attempts from one of your Nextcloud Talk profiles from an Android device.

In addition, if I had to guess, your trusted_proxy / reverse proxy configuration may be incorrect unless both your Android and Windows devices both have the exact same IP address (192.168.0.1).

Both of these conditions, on their own, would cause problems, but combined they’d be even more apparent.

Please check Administration settings->Overview for any warnings or errors as well. There are setup checks there which attempt to detect reverse proxy config matters.

Normally I’d say just reset the IP from the command line using occ security:bruteforce:reset but you may need to disable BFP temporarily to get your config issues sorted out. You can temporarily disable BFP if need be via your config.php.

You also could be hitting the Password Policy if you change it from the default: User password policy — Nextcloud latest Administration Manual latest documentation

Docs to help you sort it out:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html

See, that’s the thing. I don’t know where those logins are coming from. They’re at times I’m not even awake. But my domain name is through cloudflare, and they’re not logging any traffic to the site. Which I would think means the attempts have to be local. But I’m the only one set up on it so far, and I’m definitely not the one trying to log in at those times.

Oh, and that address is the local address of my router.

Keep in mind this times are GMT (from the looks of it).

Were there any warnings or errors under Admin settings->Overview?

192.168.240.1/32

Is the above tour reverse proxy?

No, that’s not the reverse proxy address. That’s the gateway address for the nextcloud docker network itself.

As for overview warnings,
Just this:

Some headers are not set correctly on your instance - The X-Robots-Tag HTTP header is not set to noindex,nofollow. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The X-Permitted-Cross-Domain-Policies HTTP header is not set to none. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The invalid login attempts in the logs you provided are just from the Talk app. They could be happening automatically periodically. Do you have the app installed on one of your Android devices? Is one of the configured profiles in it the admin account?

Yes and yes. I just uninstalled Talk from my phone. We’ll see if that makes a difference.