Login throttled until users are locked out

Nextcloud version: 28.0.6
PHP version: 8.2

We are facing issues with user login throttled or IPs being completely locked out. Resetting the IP with occ security:bruteforce:reset {IP} helps for the moment. But we do need to solve the issue. We are not aware that there might be some app with a wrong password configured (which was my first guess). And the issue is faced by different users at different places with different IP addresses.

Strange enough, the oc_bruteforce_attempts-table is totally empty. How am I even able to debug the issue in this case?

Do you use BasicAuth? If so, that could be the problem.

No, we don’t use Basic Auth in this installation. We do use a reverse proxy, but the blocked IPs are not the one of the reverse proxy but the ones the individual clients have dialed in with. And we also have a multi-user office with multiple clients and a single, fixed IP address.

The questions that is bugging me: where are the “brute force” IPs stored if not in the oc_bruteforce_attempts-table?

The questions that is bugging me: where are the “brute force” IPs stored if not in the oc_bruteforce_attempts-table?

If you have Redis configured as memcache.distributed then there.

1 Like

Change the loglevel to 1 and look for “Bruteforce attempt from” in your logfile.

1 Like

And also entries like:

IP address throttled [...]
IP address blocked [...]

1 Like

Fair point. Yes, we have redis activated.

Okay, I have now found entries. One user had issues today. She reported that she saw the “throttled”-message. In todays log I do see (all with her legit IP):

  1. a failed login attempt with Firefox 127: “Tried to log in but could not verify
    token”
  2. “Logging out”
  3. “Bruteforce attempt from “…” detected for action “login”.”
  4. “IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip:…]”

This is the only “Bruteforce attempt”-log-entry for this IP address, though.

Our users also use CalDAV-synchronization, most of them with both mobile phone and Desktop PC. And we also use WebDAV-synchronization. May the brute force issues be related to this line-up?