Fail2ban failregex

Hi team!

Has anyone a failregex for fail2ban?

  • apache
  • Ubuntu 20.04
  • Nextcloud 20.0.1

the log for example is:

{"reqId":"B0JTy99clnfHkqaxHE7W","level":2,"time":"November 14, 2020 15:56:13","remoteAddr":"ip.ip.ip.ip","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: test (Remote IP: ip.ip.ip.ip)","userAgent":"Mozilla/5.0 (Android 10; Mobile; rv:82.0) Gecko/82.0 Firefox/82.0","version":"20.0.1.1"}

thanks!

Sure:

[Definition]
# regex for Nextcloud 12 - 20:
failregex = ^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$

Thanks, but this code has no function… :frowning:

Sorry, I should have had a closer look…

As far as I know fail2ban is not able to interpret this time stamp. Can you either delete logdateformat from Nextclouds config.php or change the value to:

logdateformat => 'c',

which makes PHP to expand the timestamp to ISO8601. fail2ban is able to interpret ISO8601 time stamps.

Also make sure that the value of logtimezone in Nextclouds config.php corresponds to the timezone of the system (cat /etc/timezone)