Good Day,
Looking for your kind assistance
Only followed the documentation for fail2ban and successfully installed and running but I tried to ban myself using my phone data but when I check the fail2ban status for nextcloud no IP is ban and can still access the nextcloud.
https://docs.nextcloud.com/server/21/admin_manual/installation/harden_server.html?highlight=fail2ban
Thank you
Hi @sinichi19
If I had to guess, I would say that it is somehow related to the log file. Fail2ban uses the log file of Nextcloud to ban IPs. Here a few things you could check…
systemctl status fail2ban
fail2ban-client -x start?yes all running ok and all configuration are from offcial docu of nextcloud .
the problem even i log in with wrong password using other account and different network nothing happen fail2ban not blocking the ip.
if you have working config requesting to share and i will try
thank you and more power
Sure… the logpath has of course to be changed to your actual logfile… Should work on all Ubuntu/Debian based distributions…
Install Fail2ban:
apt install -y fail2ban
Create the config file for the filter…
nano /etc/fail2ban/filter.d/nextcloud.conf
…and insert the following code block:
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
Create the config file for the jail …
nano /etc/fail2ban/jail.d/nextcloud.local
…and insert the following code block:
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 18000
findtime = 36000
logpath = /path/to/nextcloud.log
Restart the Fail2ban service:
systemctl restart fail2ban
will try it, thank you for this.
only to clarify when fail2ban block ip when reached the maxretry or need to wait the findtime, i tried to set findtime to only 5min (300)but nothing happens
will try your config tomorrow.
again thank you
When maxretry is reached, you should already be banned. Maxretry is the maximum number of failed attempts before fail2ban bans an IP.
Findtime is the number of seconds after which the counter for maxretry is reset.
…and bantime is the number of seconds after a banned IP gets unbanned. You can set a negative number for a permanent ban.
You can check which addresses are blocked with…
fail2ban-client status <JAIL>
…and manually unban an IP with:
fail2ban-client set <JAIL> unbanip <IP>Thank you
dont know if there is conflict to my time zone , i already disabled the brutefroce apps in nextcloud.
Does the the timezone of your logfile match the timezone of your server? And does your logfile actualy contain the entries for the failed login atempts, respectively does the logging actualy work?
You can check the timezone of your system with timedatectl…
timedatectl
Local time: Mo 2021-05-31 06:55:35 CEST
Universal time: Mo 2021-05-31 04:55:35 UTC
RTC time: Mo 2021-05-31 04:55:36
Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: no
…and change it with
timedatectl set-timezone Europe/Berlin
And make sure you have the following parameters set in the config.php
'logfile' => '/path/to/nextcloud.log',
'loglevel' => 2,
'logtimezone' => 'Europe/Berlin',Can I use different time zone? Im from Asia +8
@bb77 thank you so much is now working
the logfile in my config.php had typo error sorry…
Thank you for your kind assistance
Sure. Normaly you use use the time zone you are actualy live in. Or you could us UTC everywhere. But I would not recommend that for small bussiness or home environments…
Either way… The key point in order for Fail2ban to work is that the timezone of your log matches the timezone of the system.
No worries. Glad it is working now. 