Fail2ban with nextcloud 12

Enzo · May 12, 2018, 11:35am

Hello,

I have a little problem, I would like to protect my nextcloud installation against forcebrute login, sometimes receive this in my log:

{"reqId":"WvYHN8CoAYcAAAXMK9gAAAAC","level":2,"time":"May 11, 2018 23:12:23","remoteAddr":"181.166.222.215","user":"--","app":"core","method":"POST","url":"\/remote.php\/dav\/addressbooks\/users\/usariopr\/contacts\/","message":"Login failed: 'username' (Remote IP: '181.166.222.215')","userAgent":"Mozilla\/5.0 (Windows NT 10.0; rv:52.0) Gecko\/20100101 Thunderbird\/52.7.0 Lightning\/5.4.7","version":"12.0.6.1"}

{"reqId":"WvG@68CoAYcAAFI4aMQAAAAB","level":2,"time":"May 08, 2018 17:15:17","remoteAddr":"181.166.222.215","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Login failed: 'usariopr' (Remote IP: '181.166.222.215')","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:59.0) Gecko\/20100101 Firefox\/59.0","version":"12.0.6.1"}

Then in my fail2ban filter have this:

[Definition]
failregex = {"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":"--","app":"core","method":".*","url":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","userAgent":".*","version":".*"}
ignoreregex =

But seems like that not match anythings, please can you help me?, thank you advance.

Schmu · June 8, 2018, 10:20pm

Hi,

Sorry for the late reply, I just stumpled accross your post.

In case you didn’t find a solution yet; here are my two filters that work well for me:

failregex= ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
           ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$

Comparing them with your filter, the most obvious is the leading ^ and then ending $. I guess that is the important part missing.

Enzo · July 19, 2018, 10:19pm

Thanks , I will test it