How to ban IP via shared links protected form


Fail2ban is correctly banning IPs that try to force the login form. That’s really fine, and I would like to extend this feature to the form on shared links protected by password. Is there a way to do that?

Thank you for your help !

As far as I can tell, Nextcloud has had Bruteforce Protection built-in since Nextcloud 11 ( I assume that this works on the login form as well as the password form for shared links but you may want to test this. This built-in protection only slows down logins for 24 hours so it’s not a permanent ban. Maybe this is sufficient for your needs.

As for fail2ban, I don’t know much about it but I think it works by checking log files for specific lines that indicate that something wrong has happened. So as long as the failed attempt in the password form is shown in the log, it should be possible to have fail2ban react to it. I don’t know how exactly to configure that though but there might be some fail2ban tutorials available for that.

Yeah, you’re right about bruteforce. And concerning Fail2ban, there’s a way to catch people trying to log on the shared link password page.

I’ve created a filter with this regex:
^<HOST> - - .*"POST /s/******ENTER*HASH*******/authenticate/showShare HTTP/2.0" 200

And it works ! It’s important to keep the 200 response code, cause in case of success, it’s a redirection 303.

Hope this can help


Do I have to add your regex to my

/etc/fail2ban/filter.d/nextcloud.conf ???

If I do this, it is not working for me. Where and how to add your CMDlet?

failregex=^{“reqId”:".",“remoteAddr”:".",“app”:“core”,“message”:“Login failed: '.’ (Remote IP: ‘’)",“level”:2,“time”:".”}$

      ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
      ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

     ^<HOST> - - .*"POST /s/******ENTER*HASH*******/authenticate/showShare HTTP/2.0" 200

you find the answer for the problem here:

I think it make less sense with individual url.