Bruteforce & 2FA in *DAV?

I would like to know about the integration of the security features besides the web/client login?

Are the DAVs like CalDav, CardDav, WebDav also protected by Bruteforce?
2FA would not make sense during a CardDav sync I would guess. on the other hand, this handles - in many cases - perhaps even more sensitive data than the files itself.

Is there any information on this?

How about to harden your system with Fail2Ban and iptables?

yes - one point.
but my question is: is *DAV using the same procedures here?

  • are DAV logins also delayed via bruteforce and can be whitelisted?
  • does a faulty DAV-Login trigger the same error in nextcloud log which you are referring in your config?

reason for asking: I could not find any reference in the DAV code for

“Login failed: ‘.*’ (Remote IP: ‘’)”

ok,
its is covered. I managed to reproduce an incorrect login

{“reqId”:“TGCGTuRsyu300JsJzXVY”,“level”:2,“time”:“2019-04-03T19:26:27+00:00”,“remoteAddr”:“91.64.86.xx”,“user”:"–",“app”:“core”,“method”:“PROPFIND”,“url”:"/nextcloud/remote.php/dav/principals/users/xx/",“message”:“Login failed: ‘xx’ (Remote IP: ‘91.64.86.xx’)”,“userAgent”:“Mac OS X/10.13.6 (17G5019) AddressBook/1808.8”,“version”:“15.0.5.3”}

1 Like

Hey, I did test and made update of gist. You have to added 1 line only in rule: ^{.*Login failed: '.*' \(Remote IP: '<HOST>'\).*}$ and this will cover GUI and WebDAV access as you wrote.
Also if you have Bruteforce App installed patern in logs will be as following, you will always see 2 entrance in log:

For GUI:

{"reqId":"bFnTdevf7ZdCMQ5ddmNl","level":2,"time":"2019-04-03T21:49:30+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Login failed: 'Tralololjlkl' (Remote IP: '10.11.12.13')","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"}
{"reqId":"bFnTdevf7ZdCMQ5ddmNl","level":1,"time":"2019-04-03T21:49:30+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Bruteforce attempt from \"10.11.12.13\" detected for action \"login\".","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"}

For WebDav:

{"reqId":"Q4wX3I4LOUeuMV4wRK91","level":2,"time":"2019-04-03T22:14:11+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"GET","url":"\/remote.php\/dav\/files","message":"Login failed: 'test' (Remote IP: '10.11.12.13')","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"}
{"reqId":"Q4wX3I4LOUeuMV4wRK91","level":1,"time":"2019-04-03T22:14:11+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"GET","url":"\/remote.php\/dav\/files","message":"Bruteforce attempt from \"10.11.12.13\" detected for action \"login\".","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"}

hello,
I don´t get it. what did you change in your rule? if I did not miss something, the old one would have covered it already?!

I did update of rule, it was too long. With one shorter rule instead of two big you will get the same effect.