Fail2ban httpd security for nextcloud

ℹ️ Support
, ,
1

I see a weird request (code 400 Bad Request) from the host of nextcloud (so to itself):

HOST_PUBLIC_IP - - [07/Mar/2025:17:48:14 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

does anyone have any idea what is this about?

2

So, the scope become more wide: i try to secure the machine by dropping in firewall the ips that give 4xx codes when accessing the httpd … the problem is that there are many instance of legitimate nextcloud accesses that give 4xx codes (see below).
So, how can i identify requests that give 4xx codes that are legitimate nextcloud accesses to exclude them from being put in the ip list to be dropped?

LEGITIMATE_CLIENT_IP - - [07/Mar/2025:20:53:44 +0200] "GET /apps/tasks/css/tasks-store.css?v=f5f692bb-7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
LEGITIMATE_CLIENT_IP - - [07/Mar/2025:20:53:44 +0200] "GET /apps/tasks/css/tasks-TaskCreateDialog.css?v=f5f692bb-7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
LEGITIMATE_CLIENT_IP - - [07/Mar/2025:20:53:44 +0200] "GET /apps/tasks/css/tasks-Plus.css?v=f5f692bb-7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
LEGITIMATE_CLIENT_IP - - [07/Mar/2025:20:54:52 +0200] "-" 408 - "-" "-"
LEGITIMATE_CLIENT_IP - - [07/Mar/2025:20:56:05 +0200] "-" 408 - "-" "-"

Thanks a lot!

3

I’ve no idea about fail2ban but hit same issue implementing crowdsec shortly.

They have pretty good Nextcloud whitelist - likely you can adopt for fail2ban

I added more exceptions to my individual whitelist as I have some additional apps, especially memories (previews)

sudo cat ./crowdsec/_my-nextcloud-whitelist.yml
name: _my/nextcloud-whitelist
description: "Whitelist more events from Nextcloud"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
 reason: "my Nextcloud Whitelist"
 expression:
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path == '/login/v2/poll' #device login
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path == '/push/ws' #notify_push not running
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/remote.php/dav/addressbooks/users/' && evt.Parsed.http_args contains 'photo' #addressbook
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'HEAD' && evt.Meta.http_path contains '/remote.php/dav/files/' #HEAD while instant upload
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/contacts/css/contacts-index.css' && evt.Parsed.http_args contains 'v'
  - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'HEAD' && evt.Meta.http_path contains '/ocs/v2.php/apps/spreed/api/v1/(chat|room)' #Talk chats