Could you indent the regex lines by 4 spaces so it shows up in monospace font? Regexes are difficult to parse on their own, and the Discourse parser is showing your text wrapped in asterisks as italics. It’s also clobbering your quotes.
I took the liberty to attempt fixing it:
With that out of the way, fail2ban really only needs a message to identify an attempt and the IP address to ban. We can simplify your regex with this knowledge. So you’ll need only the message — though we should grab the remoteAddr because it’s easier to get to than complicating our message part — and probably add core so we know it’s Nextcloud and not some other service that a Nextcloud app might login to.
fail2ban uses Python regexes, and has a few extensions to make life easier. My NC instance isn’t under attack so I can’t test this, but I’ve added it to my f2b config in case it ever is.
You can test the regex on your logs with fail2ban-regex. The first argument is a log line to match against, and the second is the regex to match with. You can also hook it up to your logs directly, but consult --help for that. So…
Running that should show a match. If it doesn’t, then fail2ban needs to be taught how to find Nextcloud’s timestamp, or Nextcloud’s logging timestamp format should be changed to something that fail2ban recognizes. fail2ban won’t match any log line until it can find a timestamp first.
Your timestamp format doesn’t appear to be recognized by fail2ban, explaining why it isn’t triggering your actions.
For what it’s worth, my Nextcloud (15.0.10) log has timestamps that look like 2019-09-07T03:35:35+00:00, which is known as ISO 8601. The Nextcloud documentation on Logging covers a config.php option that allows you to set the timestamp format:
/* config.php */
'logdateformat' => "c"
As seen in the PHP date() docs, the c expands to a full ISO 8601 timestamp for you, which is practically universal and also supported by fail2ban. Setting this will also ensure that future updates to Nextcloud won’t break your logging; at least not the timestamp part!
user@cloud:~$ sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nextcloud.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Thanks for your effort, I have just localhost ignored. Actually I didn’t looked up if fail2ban creates a log file
I am sure that I reloaded and restarted the service multiple times after making changes. Now I cleared the nextcloud- and the fail2ban-log (no “found” entries) and tried it again and it works. I feel like a noob!