Bruteforce is uninstalled , YET I am locked out and don't get rid of it

I made the horrible mistake of installing Bruteforce protection. I use a mobile phone app (DAVx) to sync my calendar with the Calendar in Nextcloud and it has always worked fine, now when I moved my installation to another server with Debian 12 on it, I re-installed Nextcloud since the version I used was 24.x .

When I installed it I thought that I should try Bruteforce protection and that went straight to h##l , I was locked out because the sync with the phone was not working for the new install of NC.

I then uninstalled Bruteforce but it still keep on blocking me. It’s annoying! I want to completely wipe it now. I have deleted the plugin from disk too. Where else is it stored?

(for those who says that I should keep it, please don’t. I don’t want it. I have other things to do on my days than getting p#ssed off since I can’t work because of this. No one else pays my salaries but my customers and thereby myself).
All I want is some help to get rid of the bruteforce thingy once and for all.

Any ideas?

(and I have disabled DAVx in my phone, but I REALLY don’t want the bruteforce “protection”)


Nextcloud version : 27.1.1
Operating system and version : Debian 12
Apache version: Server version: Apache/2.4.57 (Debian)
MySQL: mysql Ver 15.1 Distrib 10.11.3-MariaDB
PHP version: 8.0 (YES, I am aware of that it should be 8.2, but I don’t get it to run with 8.2 with ISPconfig3)

The issue you are facing:

(see intro)

Is this the first time you’ve seen this error? Y (had it since I installed it since a week ago)

Steps to replicate it:

  1. Install (don’t do that, you will regret it!) Bruteforce protection
  2. Use a mobile set up with DAVx that keeps on trying to sync

Checkout occ. It is the series of commands letting you perform all administrative actions on Nextcloud.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html

Thanks. I see that I can do this, but it doesn’t help me to completely wipe out bruteforce from my site.

security:bruteforce:reset resets brute-force attemps for given IP address
security:certificates list trusted certificates
security:certificates:import import trusted certificate
security:certificates:remove remove trusted certificate

It’s just crazy if I will have to reinstall everything and NOT choose bruteforce to avoid it. Uninstalling it should be enough.

" If you are behind a reverse proxy or load balancer it is important you make sure it is setup properly. Especially the trusted_proxies and forwarded_for_headers config.php variables need to be set correctly. Otherwise it can happen that Nextcloud actually starts throttling all traffic coming from the reverse proxy or load balancer."

Does this apply?

Also seems this other app lets you whitelist yourself from false positives

https://github.com/nextcloud/bruteforcesettings

1 Like

I am locked out of my own installation :slight_smile: . It’s ridiculous!

I wish the bruteforce “protection” was optional and not mandatory. For me it’s a total failure. I have disabled my phone from synching, but really that should never be an issue. The whole thing is really annoying. I will probably go back to NC 24.x , where it actually worked.

The whole module is quite annoying, I mean, e.g. whitelisting an IP. :slight_smile: How many more regular users know how to enter the address in full? :smiley: Come on! It’s a module made by tech geeks who forgot that there might be a fairly tech ignorant who will use it.

No, it doesn’t apply.

You say it’s “uninstalled” but there is no bruteforce app. I suspect it was the bruteforcesettings app you installed/uninstalled. It just’s a management interface for whitelisting IPs - the brute force feature is always already enabled on its own with - or without - this app. To disable bruteforce protection outright you must add a config parameter to config.php:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#auth-bruteforce-protection-enabled

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html

In other words, the status of the bruteforcesettings app is irrelevant (unless you wish to whitelist your IP).

I will point out this about Brute force protection:

  • it does not lock you out. Technically it just introduces a delay (which maxes out at 25 seconds) into the authentication process. It resets after a successful log-in.
  • it’s been enabled by default going back at least 7 years (to like NC12) so I’m not sure what you mean by “made the horrible mistake of installing Bruteforce protection” since it already always has been enabled (even on your old installation).
1 Like

You won’t really be locked out by Nextcloud’s built-in Brute Force Protection.
Are you really sure that you don’t have fail2ban installed on your box?
It even describes how to install it in the official manual:
https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#setup-fail2ban

Here are some commands to enlighten you about it (eventually you will need to prepend sudo if you are not root):

  • fail2ban.service active?
systemctl status fail2ban.service

If yes,

  • fail2ban status:
fail2ban-client status
  • check if, and if yes, what IP’s are banned:
fail2ban-client banned
  • unban one or all IP’s:
fail2ban-client unban [ IP | --all ]

and finaly

  • deinstall fail2ban:
apt-get remove --purge fail2ban

Much luck,
ernolf

2 Likes

Or if NAT reflection is in place, which I bet is the case here. :wink:

Regular users don’t need to know how to do this, but server administrators should, which is what you technically are if you’re running a Nextcloud server.

  • Add 'auth.bruteforce.protection.enabled' => false, to the config.php if you really want to diable it. However, I don’t recommend doing so if your server is exposed to the internet.

  • If you’re using a reverse proxy configure the trusted_proxies accordingly as @just mentioned: Reverse proxy — Nextcloud latest Administration Manual latest documentation

  • If NAT reflection is in place, either set up a local DNS server or whitelist the IP of your router.

If you want to call yourself a tech ignorant, that’s fine, but you should at least be willing to learn some basic things about networking and (web) servers, especially if you’re going to expose your server to the internet. If you’d rather remain a regular user, that’s fine too, but maybe you shouldn’t run servers then.

Either way, your little rant won’t get you anywhere. :wink: