Fail2ban for Nextcloud21

Good Day,

Looking for your kind assistance

Only followed the documentation for fail2ban and successfully installed and running but I tried to ban myself using my phone data but when I check the fail2ban status for nextcloud no IP is ban and can still access the nextcloud.

Thank you

Hi @sinichi19

If I had to guess, I would say that it is somehow related to the log file. Fail2ban uses the log file of Nextcloud to ban IPs. Here a few things you could check…

  • Does the “logpath” parameter in your jail point to the correct Nextcloud log file?
  • Is this log file really used and updated by Nextcloud?
  • Were the regex rules copied correctly into the filter file? No line breaks or additional characters in between?
  • ist the fail2ban service up and running? Check with: systemctl status fail2ban
  • what is the output of fail2ban-client -x start?

yes all running ok and all configuration are from offcial docu of nextcloud .

the problem even i log in with wrong password using other account and different network nothing happen fail2ban not blocking the ip.

if you have working config requesting to share and i will try

thank you and more power

Sure… the logpath has of course to be changed to your actual logfile… Should work on all Ubuntu/Debian based distributions…

Install Fail2ban:

apt install -y fail2ban

Create the config file for the filter…

nano /etc/fail2ban/filter.d/nextcloud.conf

…and insert the following code block:

_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

Create the config file for the jail …

nano /etc/fail2ban/jail.d/nextcloud.local

…and insert the following code block:

backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 18000
findtime = 36000
logpath = /path/to/nextcloud.log

Restart the Fail2ban service:

systemctl restart fail2ban

will try it, thank you for this.

only to clarify when fail2ban block ip when reached the maxretry or need to wait the findtime, i tried to set findtime to only 5min (300)but nothing happens

will try your config tomorrow.

again thank you

When maxretry is reached, you should already be banned. Maxretry is the maximum number of failed attempts before fail2ban bans an IP.

Findtime is the number of seconds after which the counter for maxretry is reset.

…and bantime is the number of seconds after a banned IP gets unbanned. You can set a negative number for a permanent ban.

You can check which addresses are blocked with…

fail2ban-client status <JAIL> 

…and manually unban an IP with:

fail2ban-client set <JAIL> unbanip <IP>
1 Like

Thank you

but still notworking

dont know if there is conflict to my time zone , i already disabled the brutefroce apps in nextcloud.

Does the the timezone of your logfile match the timezone of your server? And does your logfile actualy contain the entries for the failed login atempts, respectively does the logging actualy work?

You can check the timezone of your system with timedatectl…

Local time: Mo 2021-05-31 06:55:35 CEST
                  Universal time: Mo 2021-05-31 04:55:35 UTC
                        RTC time: Mo 2021-05-31 04:55:36
                       Time zone: Europe/Berlin (CEST, +0200)
       System clock synchronized: yes
systemd-timesyncd.service active: yes
                 RTC in local TZ: no

…and change it with

timedatectl set-timezone Europe/Berlin

And make sure you have the following parameters set in the config.php

 'logfile' => '/path/to/nextcloud.log',
 'loglevel' => 2,
 'logtimezone' => 'Europe/Berlin',

Can I use different time zone? Im from Asia +8

@bb77 thank you so much is now working

the logfile in my config.php had typo error sorry…

Thank you for your kind assistance

1 Like

Sure. Normaly you use use the time zone you are actualy live in. Or you could us UTC everywhere. But I would not recommend that for small bussiness or home environments…

Either way… The key point in order for Fail2ban to work is that the timezone of your log matches the timezone of the system.

No worries. Glad it is working now. :slight_smile:

1 Like