How to ban IP via shared links protected form

šŸ± Features & apps
1

Hi,

Fail2ban is correctly banning IPs that try to force the login form. Thatā€™s really fine, and I would like to extend this feature to the form on shared links protected by password. Is there a way to do that?

Thank you for your help !

2

As far as I can tell, Nextcloud has had Bruteforce Protection built-in since Nextcloud 11 (https://nextcloud.com/blog/nextcloud-11-delivers-verified-security-improvements/). I assume that this works on the login form as well as the password form for shared links but you may want to test this. This built-in protection only slows down logins for 24 hours so itā€™s not a permanent ban. Maybe this is sufficient for your needs.

As for fail2ban, I donā€™t know much about it but I think it works by checking log files for specific lines that indicate that something wrong has happened. So as long as the failed attempt in the password form is shown in the log, it should be possible to have fail2ban react to it. I donā€™t know how exactly to configure that though but there might be some fail2ban tutorials available for that.

3

Yeah, youā€™re right about bruteforce. And concerning Fail2ban, thereā€™s a way to catch people trying to log on the shared link password page.

Iā€™ve created a filter with this regex:
^<HOST> - - .*"POST /s/******ENTER*HASH*******/authenticate/showShare HTTP/2.0" 200

And it works ! Itā€™s important to keep the 200 response code, cause in case of success, itā€™s a redirection 303.

Hope this can help

4

Hi,

Do I have to add your regex to my

/etc/fail2ban/filter.d/nextcloud.conf ???

If I do this, it is not working for me. Where and how to add your CMDlet?

[Definition]
failregex=^{ā€œreqIdā€:".",ā€œremoteAddrā€:".",ā€œappā€:ā€œcoreā€,ā€œmessageā€:ā€œLogin failed: '.ā€™ (Remote IP: ā€˜ā€™)",ā€œlevelā€:2,ā€œtimeā€:".ā€}$

      ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
      ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

     ^<HOST> - - .*"POST /s/******ENTER*HASH*******/authenticate/showShare HTTP/2.0" 200
5

you find the answer for the problem here:
https://help.nextcloud.com/t/authentication-protection-for-public-shared-pw-protected-links/65885/3?u=rebootnow

6

I think it make less sense with individual url.