Many logins detected by suspicious logins - should I be concerned?


I have a Nextcloud instance running on a VPS. I have enabled 2FA for my user account, which is the only account except for the admin account that has access to everything. The security rating is A (not A+ due to not latest patch, as I run the AIO Docker image). I have the suspicious login app installed, and I just noticed that it has captured a lot more logins that I thought would be the case:

So far the app has captured 13319 logins (including client connections), of which 137 are distinct (IP, UID) tuples.

Should I be concerned about this? I could not find anything suspicious in the logs myself, but I am not entirely sure how to best look for this. I also sync calendar and contacts via DAV, and I use the gpodder app to sync podcasts with my Android podcast app. I assume that “including client connections” means that it would capture these kids of connections as well, which I guess could tally up the score quite quickly.

Lastly, I had some issues with Collabora to begin with, which yielded many errors in the beginning before I turned it off (I did not need it). Maybe these also would count towards the total?

Here is an excerpt from the log:

{"reqId":"xxxxxxxxxxxxxxxxxxxx","level":3,"time":"2023-07-01T00:00:00+00:00","remoteAddr":"xx.xx.xx.xx","user":"myuser","app":"richdocuments","method":"POST","url":"/apps/text/session/close","message":"Failed to fetch the Collabora capabilities endpoint: cURL error 28: Connection timed out after 45000 milliseconds (see for","userAgent":"Mozilla/ ....

Depends a bit on the range of time. If you have ipv6, the ip changes regularly, so that could be possible if the time span is long enough.

I’d grep a bit through the logs and check for unusual ip ranges. On your account, you can see in the security settings, how many different client sessions are used.

Only ipv4 here. I have looked through the logs available in the “Logging” tab in the administration panel, and could not find anything wrong. I have one trigger on Suspicious login, which was my own doing. Otherwise I find very few references to any logins at all in those logs. If I understand it correctly, these logs are from nextcloud.log, and there exists an audit.log that would contain all logins. Is that correct? I am unsure how to access it in the AIO Docker image (not that familiar with using Docker in the command line, but I assume I should be able to run a shell session inside one to access data?).

The sessions all seem fine as well from what I can tell.

But I have for example the Linux desktop client that will synchronize data, the Android client that will synchronize data, CardDAV and CalDAV sync, as well as GPodder sync. Will every one of the sync actions be regarded as one login? I could understand if that triggered a lot of logins in that case.

After checking audit.log, it seems that there are a lot of connections from DAVx5 especially, that shows up as “Login successful”, so I am quite comforted at this point that this is fine.

Just note that Nextcloud 25 just dropped out of support and will not receive any security updates any more. Please consider upgrading.

Unfortunately, the suspicious login app has no updates for current versions …

I am running Nextcloud 27 at the moment, and it does seem that Suspicious Login v. 5.0 supports it, and that v. 6.0 even supports Nextcloud 28? It’s GitHub repo was updated only three days ago.

Oh, on the apps store this looks different:

Sorry for all the confusion, for NC25 and later, the app is shipped by default. So it is not delivered through the app store any more and is there only for older versions.
There will be an update on the README-file on github so it will be more obvious.