Managing security brute force protection and throttling in Nextcloud snap
Nextcloud has built-in protection against brute force attempts.
The brute force protection feature is meant to protect Nextcloud servers from attempts to guess passwords and tokens in various ways. Besides the obvious “let’s try a big list of commonly used passwords” attack, it also makes it harder to use slightly more sophisticated attacks via the reset password page or trying to find app password tokens. It is used throughout the Nextcloud ecosystem, including by other apps, if they have sensitive entrypoints (and choose to enable support for it).
See Brute force protection — Nextcloud latest Administration Manual latest documentation
You may be testing something and would like to reset the logged attempts and are absolutely sure, that it is your external IP address being throttled! Double check in your logs.
List logged brute force attempts from your external IP address:
sudo nextcloud.occ security:bruteforce:attempts <your.external.ip.address>
This will display the number of brute force attempts from your external IP address.
- bypass-listed: false
- attempts: 13
- delay: 25000
Reset brute force attempts:
sudo nextcloud.occ security:bruteforce:reset <your.external.ip.address>
Whitelisting
You may consider whitelisting an IP range if you have a static IPv4 address but this is usually not necessary.
Reverse proxies
If you are behind a reverse proxy or load balancer it is important you make sure it is setup properly. Especially the trusted_proxies and forwarded_for_headers config.php variables need to be set correctly. Otherwise it can happen that Nextcloud actually starts throttling all traffic coming from the reverse proxy or load balancer. For more information see Reverse proxy.
See