Is there an easy way to find out from which IP address a specific Nextcloud account has connected from for the last time ? I’m trying to help police find back a stolen laptop that has the automatic sync app on it
Thanks for your suggestions,
Easy… perhaps not so much… but you should be able to find what you need in the web server logs. You’ll have to do this on the server console.
Problem is that the NC server has quite few accounts in it and lot of traffic so going to be a nightmare to find back I think
Side note: logs show URLs requested and results but nothing about user that generated them !! How do you get last user connection into it ?
Some of the entries should include the user name. Try searching for it.
Maybe you can better find the last log of the user:
sudo -u www-data php occ user:lastseen username
And then search the apache2 logs for the time and date.
I don’t think the police will find the laptop with the IP address.
It’s also very unlikely that the Nextcloud client did connect to the server at all after the laptop was stolen, because it only connects to the server when the corresponding user is logged in. So if the laptop was properly secured with a login-password, I doubt that an ordinary thief was able to log-in. There’s also a high chance that the thieves were only interested in the hardware, so the first thing they did was probably wipe or replace the disk…
And if they were interested in the data and were smart, they probably wouldn’t have connected the laptop to the Internet, in order to get to the data.
Thats not really true. The user can use web login and go to
https://cloud.server.tld/settings/user/security and delete sessions and also wipe the client.
Did you ever test this, and did it work? It may work on a mobile device, which is always running and is using a cell connection. But on a laptop it would only work if the thieves somehow mange to connect it to the internet while it is still running with your user logged in. But I never tested this, so I could be wrong…