Brute force app enabled by default?

According to the docs, Brute force protection — Nextcloud latest Administration Manual latest documentation
the bruteforce app is enabled by default.

I can’t remember to disable it, but it is not enabled for me.
At the same time, nextcloud security scanner shows me that brute force is enabled.

Did we move the app functionality into NC itself?
Does the app only provide settings nowadays?
Is this an out of date documentation?

What brings you to this conclusion?

Yes, but it can be disabled by adding the following line to the config.php:

'auth.bruteforce.protection.enabled' => false,

Yes. That’s why it is called “Brute-Force settings

I don’t think so. Why do you think it’s outdated? And again, why do you think brute force protection is disabled for you?

Sorry, I should have written it more clearly.

The app itself is disabled. But security scan says it is enabled.

What I meant: does it only provide additional settings and brute force is enabled by default?

Maybe it is simpler to see what I mean on Github.
Here are the changes:
https://github.com/nextcloud/documentation/pull/12066

Please post the details for the scan.

I think that’s what it always says. This is also the case for me and other Nextclouds. Maybe someone should write an issue.

Yes!

  1. The actual brute-force protection functionality and the “Brute-force settingsapp are two separate things.

  2. The brute-force protection is part of the core and is enabled by default.

  3. It is not installed as an app, and therefore cannot be disabled or uninstalled via the Apps menu or the occ app command. It can only be disabled by adding the following line to the config.php:

    'auth.bruteforce.protection.enabled' => false,
    
  4. The “Brute-force settingsapp, as the name suggests, is just a settings app that provides an interface in the webUI to exclude certain IPs or IP ranges from the brute-force protection.

  5. Disabling the “Brute-force settingsapp does not disable the actual brute-force protection, it just removes the settings from the UI.

  6. The pull request you linked to is about enabling the “brute-force settingsapp by default, and not about the actual brute-force protection functionality, which has been enabled by default since it moved to the core.

3 Likes

That is good to hear. The gh issue is still valid in my opinion, since the doc now wrongfully claims, that the settings app is enabled by default, which is not true?

Well, if the linked pull request is accepted, the part where it says it’s enabled by default would be removed from the documentation, although I think it would make more sense to actually enable the app by default instead :wink:

Anyway, that’s all we can do here in the forums, but feel free to open an issue on GitHub or add a comment to this pull request.

1 Like

Thank you!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.