Issue with generated password of 2FA is enabled and REDIS/Memcached is being used

NunoHiggs · July 29, 2023, 9:34pm

Nextcloud version (eg, 20.0.5): 27.0.1
Operating system and version (eg, Ubuntu 20.04): SuSE
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.51 (Linux/SUSE)
PHP version (eg, 7.4): PHP 8.1.20

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

Have your nextcloud use either a Redis or a Memcached instance.
Create a user that uses 2FA.
Generate a app password for that user so it bypasses 2fa.
Authenticate with the app with that password.
Restart the REDIS/Memcached service.
That generated password - on step 3 - will no longer be valid.

The output of your Nextcloud log in Admin > Logging:

The generated logs are too many. The only error that i remember seeing was invalid password.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'XXXXXXXXXXXXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXXXX/XXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => 'vcloud.bigsite.com',
  ),
  'datadirectory' => '/mnt/cloud/datadir',
  'overwrite.cli.url' => 'https://vcloud.bigsite.com',
  'dbtype' => 'mysql',
  'version' => '27.0.1.2',
  'filelocking.enabled' => false,
  'dbname' => 'database',
  'dbhost' => 'mysql.bigsiteitsite.com',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nxtdbuser',
  'dbpassword' => 'XXXXXXXXXXXXXXXXX',
  'default_phone_region' => 'PT',
  'logtimezone' => 'UTC',
  'installed' => true,
  'mail_from_address' => 'nuno',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => 'bigsite.com',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtphost' => 'bigsiteitsite.com',
  'mail_smtpport' => '25',
  'theme' => '',
  'loglevel' => 1,
  'forcessl' => true,
  'trusted_proxies' => 
  array (
    0 => '172.16.1.162 172.16.3.162',
  ),
  'overwritehost' => 'vcloud.bigsite.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'proxy' => '172.16.0.250:3128',
  'maintenance' => false,
  'lost_password_link' => 'disabled',
  'data-fingerprint' => 'cdxxxxxxxxxxxxxxxxxxxxxxxxxedc',
  'mysql.utf8mb4' => true,
  'updater.release.channel' => 'stable',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcache.locking' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' => 
  array (
    0 => 
    array (
      0 => '172.16.0.66',
      1 => 11211,
    ),
    1 => 
    array (
      0 => '172.16.0.67',
      1 => 11211,
    ),
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

Notice that no errors were found. 
The user simply stops being feed in to the logs. After re-generating the password and re applying it, the user appears again:

Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/Configs HTTP/1.1" 207 240 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/credenciais HTTP/1.1" 207 242 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/work/Findmore HTTP/1.1" 207 246 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/pessoais.2022 HTTP/1.1" 207 244 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/pessoais.2023 HTTP/1.1" 207 244 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/garantias HTTP/1.1" 207 241 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:13 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:13 +0100] "PROPFIND /remote.php/dav/files/nuno/VanDyke HTTP/1.1" 207 241 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:03:19 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:03:19 +0100] "PROPFIND /remote.php/dav/files/nuno/ HTTP/1.1" 207 247 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/work/Propostas HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/Labs HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/Colegios HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/Configs HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/credenciais HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/work/Findmore HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/pessoais.2022 HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/pessoais.2023 HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:45:48 www bigsite_nextcloud: 172.16.0.10 - - [29/Jul/2023:17:45:48 +0100] "PROPFIND /remote.php/dav/files/nuno/VanDyke HTTP/1.1" 405 910 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"
Jul 29 17:46:33 www bigsite_nextcloud: 172.16.0.10 - nuno [29/Jul/2023:17:46:12 +0100] "PROPFIND /remote.php/dav/files/nuno/Casas,%20Propriedades%20e%20Imobili%C3%A1rio HTTP/1.1" 207 269 "-" "Mozilla/5.0 (Windows) mirall/3.1.3stable-Win64 (build 20210218) (Nextcloud)"

PASTE HERE


Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

No errors were found. Since this were automated process, nextcloud client, vcard, bookmark sync, it just gives a not user authenticated until if blacklists the ip:
 
{"reqId":"ZMVML4pEcAPvE6Qji3YCZgAAAAQ","level":1,"time":"2023-07-29T17:28:16+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVMNiWkznx1nifB9TY-4AAAABE","level":1,"time":"2023-07-29T17:28:22+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVMQNOXnuxINWHUHtw3lAAAAAk","level":1,"time":"2023-07-29T17:28:33+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVMW1n3hYkoSjTbc692pwAAAAo","level":1,"time":"2023-07-29T17:29:00+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVMiug5Bv0SMs5WJdX50QAAAAw","level":1,"time":"2023-07-29T17:29:48+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVMsuQGI1sZdsDwGsDdVwAAAAI","level":1,"time":"2023-07-29T17:30:30+00:00","remoteAddr":"172.16.0.10","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.10\" detected for action \"login\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVM2ReB64UAe4i6ZzCHqwAAAAU","level":1,"time":"2023-07-29T17:31:05+00:00","remoteAddr":"172.16.0.2","user":"--","app":"core","method":"POST","url":"/index.php/login","message":"Bruteforce attempt from \"172.16.0.2\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0","version":"27.0.1.2","data":{"app":"core"}}
{"reqId":"ZMVNEAo-_m0rIB5ciVsE3QAAABE","level":1,"time":"2023-07-29T17:32:01+00:00","remoteAddr":"172.16.0.2","user":"--","app":"core","method":"GET","url":"/index.php/apps/bookmarks/public/rest/v2/folder/-1/hash","message":"Bruteforce attempt from \"172.16.0.2\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0","version":"27.0.1.2","data":{"app":"core"}}

ernolf · July 30, 2023, 3:51pm

This might have nothing to do with your issue, but this:

should be

  'trusted_proxies' => 
  array (
    0 => '172.16.1.162',
    1 => '172.16.3.162',
  ),

and why is your

not mentioned in that list?

Then you defined:

while at the same time you defined a backend for filelocking:

and I never heard about this setting:

… where did you get that from?

Then I noticed, that you mentioned Redis in the title but there is no Redis configured in your config.php. So what service did you restart?

You should see if your issue has resolved itself after cleaning up this mess.

Maybe it helps, if you experiment with

  'auth.bruteforce.protection.enabled' => false,

Hope this helps,
much luck!

NunoHiggs · July 30, 2023, 6:27pm

Hi,

Corrected the trusted proxies.

Regarding the proxy setting, its the proxy for that instance to reach the internet as it is on a segregated network to reach the internet.
So the two trusted ones are the reverse proxys, and the 172.16.0.250:3128 is the outbound proxy to reach the internet.

Filelocking was disabled for experiments and it is for just for file locks.

Memcache is/was set to make sure that the problem did not appear on other caching solutions other than redis. The problem still happens with that with redis or memcache.

The forcessl is to force ssl connections and its a legacy setting.

The problem is still happening, and all the requirements are needed for my configuration.
What i dont understand is why the cache devices are keeping only on memory settings that should not be ephemeral like app passwords.
I can agree for passwords and 2fa’s but app passwords? And when the cache device restarts it looses all of the app passwords?

That does not make sense.