Nextcloud version (eg, 20.0.5): 22.2.3
Operating system and version (eg, Ubuntu 20.04): Centos 7
Apache or nginx version (eg, Apache 2.4.25): 2.4.6
PHP version (eg, 7.4): 7.4
The issue you are facing:
I installed and configured Fail2ban with this article https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#setup-fail2ban
Service is running, it read from logs, also when I try multiple failed logins, it correctly add IP on blacklist and then unban. But, even if the IP address is banned, I can login or try another attempts.
Any suggestions?
Is this the first time you’ve seen this error? (Y/N): y
The output of your fail2ban:
2022-01-19 14:10:33,120 fail2ban.actions [22945]: NOTICE [nextcloud] Unban 10.2.90.20
2022-01-19 14:11:41,377 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:11:41
2022-01-19 14:11:41,390 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:11:41, 1 # -> 2
2022-01-19 14:19:49,043 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:48
2022-01-19 14:19:49,090 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:48, 1 # -> 2
2022-01-19 14:19:49,843 fail2ban.actions [22945]: NOTICE [nextcloud] Ban 10.2.90.20
2022-01-19 14:19:49,855 fail2ban.observer [22945]: INFO [nextcloud] IP 10.2.90.20 is bad: 1 # last 2022-01-19 14:09:33 - incr 0:01:00 to 0:05:00
2022-01-19 14:19:49,856 fail2ban.observer [22945]: NOTICE [nextcloud] Increase Ban 10.2.90.20 (2 # 0:05:00 -> 2022-01-19 14:24:48)
2022-01-19 14:19:52,851 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:52
2022-01-19 14:19:52,895 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:52, 2 # -> 3, Ban
2022-01-19 14:19:53,059 fail2ban.actions [22945]: NOTICE [nextcloud] 10.2.90.20 already banned
2022-01-19 14:19:56,458 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:56
2022-01-19 14:19:56,473 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:56, 2 # -> 3, Ban
2022-01-19 14:19:57,073 fail2ban.actions [22945]: NOTICE [nextcloud] 10.2.90.20 already banned
2022-01-19 14:19:58,663 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:58
2022-01-19 14:19:58,699 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:58, 2 # -> 3, Ban
2022-01-19 14:19:59,081 fail2ban.actions [22945]: NOTICE [nextcloud] 10.2.90.20 already banned
2022-01-19 14:20:01,469 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:20:01
2022-01-19 14:20:01,499 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:20:01, 2 # -> 3, Ban
2022-01-19 14:20:01,685 fail2ban.actions [22945]: NOTICE [nextcloud] 10.2.90.20 already banned
2022-01-19 14:20:02,272 fail2ban.filter [22945]: INFO [nextcloud] Found 10.2.90.20 - 2022-01-19 14:20:02
2022-01-19 14:20:02,318 fail2ban.observer [22945]: INFO [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:20:02, 2 # -> 3, Ban
2022-01-19 14:20:02,892 fail2ban.actions [22945]: NOTICE [nextcloud] 10.2.90.20 already banned
Also get it right from iptables
[root@example ]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-nextcloud tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-nextcloud (1 references)
target prot opt source destination
REJECT all -- 10.2.90.20 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
And from fail2ban status:
[root@example]# fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /path/to/nextcloud.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 10.2.90.20
The output of nextcloud.local:
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 60
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 5 30 60 300 720 1440 2880
findtime = 600
logpath = /path/to/nextcloud.log
The output of nextcloud.conf:
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
Sorry for another topic, last one I had in concept for a long time and forgot to add it.
Thank you for your help.