Fail2ban with nextcloud 12


I have a little problem, I would like to protect my nextcloud installation against forcebrute login, sometimes receive this in my log:

{"reqId":"WvYHN8CoAYcAAAXMK9gAAAAC","level":2,"time":"May 11, 2018 23:12:23","remoteAddr":"","user":"--","app":"core","method":"POST","url":"\/remote.php\/dav\/addressbooks\/users\/usariopr\/contacts\/","message":"Login failed: 'username' (Remote IP: '')","userAgent":"Mozilla\/5.0 (Windows NT 10.0; rv:52.0) Gecko\/20100101 Thunderbird\/52.7.0 Lightning\/5.4.7","version":""}

{"reqId":"WvG@68CoAYcAAFI4aMQAAAAB","level":2,"time":"May 08, 2018 17:15:17","remoteAddr":"","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Login failed: 'usariopr' (Remote IP: '')","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:59.0) Gecko\/20100101 Firefox\/59.0","version":""}

Then in my fail2ban filter have this:

failregex = {"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":"--","app":"core","method":".*","url":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","userAgent":".*","version":".*"}
ignoreregex =

But seems like that not match anythings, please can you help me?, thank you advance.


Sorry for the late reply, I just stumpled accross your post.

In case you didn’t find a solution yet; here are my two filters that work well for me:

failregex= ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
           ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$

Comparing them with your filter, the most obvious is the leading ^ and then ending $. I guess that is the important part missing.

1 Like

Thanks , I will test it