Hello everyone,
I wanted to share with you my experience of using fail2ban to ban deactivated accounts, with Nextcloud version 28.0.7. Although they no longer use the Nextcloud service, these users still have a desktop client that continues to attempt connections, heavily polluting the nextcloud.log file.
Here is my filter:
root@nextcloud:~ # cat /etc/fail2ban/filter.d/nextcloud.conf
# https://docs.nextcloud.com/server/28/admin_manual/installation/harden_server.html?highlight=fail2ban
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"(?:OC\\\\User\\\\LoginException: )?(User disabled|Utilisateur d\\u00e9sactiv\\u00e9)"
datepattern = ,?\s*"time"\s*:\s*%%d %%B %%Y %%H:%%M:%%S$
For reasons unknown to me, the logs are in English or French. So you have to look for either the ‘User disabled’ string or the ‘Utilisateur d\u00e9sactiv\u00e9’ string.
Please note that a simple change of version of Nextcloud can alter the operation of the filter. For example, with version 29.0.4, you have to search for ‘Compte d\u00e9sactiv\u00e9’ for a log in French… The semantic change is indeed significant since the user remains active (alive) while his account is effectively deactivated!
I assume the same will apply to the English version, with ‘Account’ replacing ‘User’, but I haven’t had a chance to observe it at the time of writing.
For this filter to work, you obviously need to add the fail2ban configuration file to it. Here is the file I use:
root@nextcloud:~ # cat /etc/fail2ban/jail.d/nextcloud.conf
[nextcloud]
enabled = true
port = http,https
filter = nextcloud
action = iptables-multiport[name=nextcloud, port="http,https", protocol=tcp]
logpath = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime = 86400
Note the ‘action’ line, which states that banning is done with iptables, which is not described in the documentation.
I hope this helps.
Ernest.