Multiple failed login attempts from unauthorized e-mail addresses

[/details]

Nextcloud version: 28.0.6.1
Operating system and version: Ubuntu Server 24.04
Apache or nginx version: Apache 2.4.59

The issue you are facing:
Ever since I enabled proxying on my domain name on Cloudflare, I’ve been seeing a number of failed login attempts from unknown e-mails and IP addresses. Previously I had my Nextcloud associated with a free DDNS domain from Dynu and this issue never occurred. But since they I’ve decided to get my own domain on Cloudflare and proxy traffic through Cloudflare on said domain, and that’s when this issue started. I’m using Full (strict) DNS mode and I’m using a Google Trusted Services LLC certificate. I’ve also noticed that using DNS only mode on Cloudflare didn’t give me any erros regarding login attempts from strange sources. I also have 2FA enabled and required for all users. I should also mention that googling the listed IP addresses in the Nextcloud error log always points to a CLOUDFLARENET origin.

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

  1. Install Nextcloud AIO with a Cloudflare registered domain.
  2. Enable traffic proxying through Cloudflare.

Is this a question I should be asking Cloudflare? Thanks for all the help.

Is your concern the additional invalid login attempts appearing when you’re using CF? Or is the concern that you’re not getting the real client IP addresses?

The latter is likely due to not adjusting your Nextcloud environment’s config to accommodate CF as a trusted proxy.

You can either add all the CF CIDR ranges to Nextcloud’s trusted_proxies list or configure your web server to grab the real client IP address sent on by CF. If you search the forum / your favorite search engine for cloudflare with Nextcloud you’ll find some additional context.

Thank you for the reply.

My concern is that the error shows as failed login attempts as if someone is actually trying to log in to my Nextcloud instance. I got startled by the fact that there were actual e-mail addresses I do not recognize/don’t have as users attempting logins. I don’t know if this is a common occurrence after enabling proxying.

I didn’t add any information to trusted_proxies, I just added the CF CIDR ranges to Nextcloud Office to allow the WOPI requests to go through and edit files on Office.

Long story short, I can’t understand if someone is attempting to break-in to my instance or if these errors are occurring due to bad configs.

Long story short, I can’t understand if someone is attempting to break-in to my instance or if these errors are occurring due to bad configs.

If you address the real client IP address matter you’ll be able to see the real client IP addresses. This might help you determine if these are coming from connections you recognize.