Hello,
When setting up my Nextcloud, or more precisely when setting up Fail2Ban, an error got in my way that I unfortunately can’t solve. I have the following setup - My Nextcloud runs behind a Nginx Proxy Manager, both the Nextcloud and the NPM run on a separate Ubuntu container on a server. To transfer the login logs of the Nextcloud to the container of the proxy manager I use rsyslog. This works quite well so far. However, when I apply the Fail2Ban filter and jail, no IP addresses are banned. In the Fail2Ban logs the following error appears again and again.
WARNING [sshd] Simulate NOW in operation since found time has too large deviation None ~ 1683536761.5844784 +/- 60
2023-05-08 11:06:01,584 fail2ban.filter
[3891710]: WARNING [sshd] Please check jail has possibly a timezone issue. Line with odd timestamp: pam_unix(cron:session): session opened for user root(uid=0)
This is the Fail2Ban filter file
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
And finally, here is the Fail2Ban jail file
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 2
bantime = 3600
findtime = 3600
logpath = /var/log/syslog-cloudserver.log
1 Like
Me again, I got the timezone issue AGAIN…
It seems now caused by the Winter Time. Winter Time took place at 3 am on 27 October 2024 (thus recently). And since that moment, I see again warnings:
WARNING [sshd] Detected a log entry 1h after the current time in operation mode. This looks like a timezone problem. Treating such entries as if they just happened.
2024-10-31 02:03:12,880 fail2ban.filter [2121]: WARNING [sshd] Please check a jail for a timing issue. Line with odd timestamp: 2024-10-31T03:03:12.595751+02:00 ubuntu-server sshd[1534071]: Connection closed by 127.0.0.1 port 54612 [preauth]2024-10-31 02:00:13,379 fail2ban.filter [2121]: WARNING [manual] Detected a log entry 1h after the current time in operation mode. This looks like a timezone problem. Treating such entries as if they just happened.
2024-10-31 02:00:13,380 fail2ban.filter [2121]: WARNING [manual] Please check a jail for a timing issue. Line with odd timestamp: 2024-10-31T03:00:12.937481+02:00 ubuntu-server prometheus[1440]: ts=2024-10-31T01:00:12.937Z caller=compact.go:580 level=info component=tsdb msg="write block" mint=1730325603635 maxt=1730332800000 ulid=01JBG1CN77HPE9WE2V795Y5FGQ duration=33.739731ms ooo=false
.....
2024-10-31 02:00:13,379 fail2ban.filter [2121]: WARNING [manual] Detected a log entry 1h after the current time in operation mode. This looks like a timezone problem. Treating such entries as if they just happened.
2024-10-31 02:00:13,380 fail2ban.filter [2121]: WARNING [manual] Please check a jail for a timing issue. Line with odd timestamp: 2024-10-31T03:00:12.937481+02:00 ubuntu-server prometheus[1440]: ts=2024-10-31T01:00:12.937Z caller=compact.go:580 level=info component=tsdb msg="write block" mint=1730325603635 maxt=1730332800000 ulid=01JBG1CN77HPE9WE2V795Y5FGQ duration=33.739731ms ooo=false
Clearly Fail2ban has an issue I believe, where the logs shows clearly it is stating +02 timezone (this is UTC+2), but day light saving is no more, during winter time it should change to +01 (UTC+1) automatically.
Do I really need to change the timezone during winter time each year? Well I do see it now for prometheus as well as ssh.
Ps. My Ubuntu server is correctly configured using CET:
$ date
Thu Oct 31 11:13:16 CET 2024