Bruteforce protection does not work as expected (only small delays)

ℹ️ Support
1

Nextcloud version: 16.0.3
App “Brute-force settings”: 1.3.0

The issue you are facing:

bruteforce protection is enabled in config.php:

‘auth.bruteforce.protection.enabled’ => true,

There is no entry in “Brute-force IP whitelist”.

There are several login attempts from one IP (entries in datebase-table “oc_bruteforce_attempts”). As I can see from timestamps, there are just small delays. Attempts happened every 10 to 15 seconds. As written in https://nextcloud.com/blog/security-in-nextcloud-12-bruteforce-protection-and-rate-limiting-for-developers/ I expect delays up to 1 Minute. This does not happen.

So there are/were hundreds of attempts in an hour.

Steps to replicate it:

  1. start nextcloud and make sure bruteforce protection is enabled
  2. run brute force to login page
  3. check logs, database and delay on webGUI

Question: What has to happen for the 1-minute-delay to occur?

2

Beware to fall into the trap of outdated docs, false advice and not enabling the appropriate security measures.

AFAIK the a.m. setting ist not part of the more current NC configuration anymore.

‘auth.bruteforce.protection.enabled’ => true,

Did you consult the Brute-force settings App documentation and is this app enabled?

Brute-force settings

Brute Force Protection is meant to protect Nextcloud servers from attempts to guess user passwords in various ways. Besides the obvious " let’s try a big list of commonly used passwords " attack, it also makes it harder to use slightly more sophisticated attacks via the reset password form or trying to find app password tokens.

If triggered, brute force protection makes requests coming from an IP on a bruteforce protected controller with the same API slower for a 24 hour period.

With this app, the admin can exempt an IP address or range from this protection which can be useful for testing purposes or when there are false positives due to a lot of users on one IP address.

The Brute-force settings app should be included in a more current NC install by default and please consult the NC 16 Docs » Apps management and always ensure to not disable the Brute-force settings app inadvertently.

Furthermore, while addressing Nextcloud 16 development issues one could consult the more current NC 16 Docs » App development » API Documentation » \ » OC » Security » Bruteforce » Throttler details or similar documentation, I presume.

However, your concern is quite correct. Obviously, Nextcloud sometimes appears as if far too lazy in updating their online documentation and this can be quite misleading.

Please find a more current documentation available as:

The outdated Nextcloud online documentation includes but is not limited to:

Last not least the German (DE) community may consider this worth a read:

Again this article links to the a.m. Nextcloud Security Scan page with the outdated NC 13 docs. This is rather unfortunate and may hurt the security awareness of the NC user community, I presume.

NOTE: The URL input field of the Nextcloud Security Scan page is correct and one can get an actual security report as appropriate. However, the line “hardening tips in our hardening guide” is pointing to outdated content.

Hope this helps.
:smile_cat:

3

Thanks for Your reply and listed links.

It was hard to find any details about default brute-force-protection behavior. That’s why I was linking to old documentation.

Thus, I assume that the behavior is correct. After all, there is a delay of a few seconds. It helps throtteling brute force a litte bit. It seems, max delay is no longer up to 1 minute.

1 Like
4

You are welcome.

When interested in extra security measures and when capable of some CLI endeavours one may consult the fail2ban package and could seek to add some Nextcloud filtering to the NC server with this addition, I presume. One may consult the Fail2ban project web page for further details.

Happy hacking.
:sunny: