NC 12 Cannot Be Processed By The Script Error

amanusk · August 9, 2017, 12:02pm

I am using apache.
I have not done the rewrite like you mentioned, but I did leave nextcloud as the default of my IP. I have changed it now. Guess I won’t be getting these any more

dev0 · September 13, 2017, 2:01pm

I have that issue too, so you can configure fail2ban if a client generates too much 404s then it gets blocked?

amanusk · September 13, 2017, 2:47pm

I have configured a new filter in /etc/fail2ban/filter.d/nextcloud2.conf

The content is:

[INCLUDES]
before = common.conf

[Definition]
failregex = Trusted domain error. \\"<HOST>\\" tried to access using \\"<replace_by_your_ip>*\\" as host.
ignoreregex =

You also need to add the jail filter in:
In /etc/fain2ban/jail.local
I have

[nextcloud2]

enabled  = true
port     = http,https
filter   = nextcloud2
logpath  = /var/log/nextcloud.log
maxretry     = 1
findtime     = 1
bantime  = 604800  ; 1 week

You need to put your own IP, and your nextcloud log file for fail2ban to read.

An access using the IP will ban the IP for a week.

NextCees · October 5, 2017, 10:32am

Just get something simular. At first there is:

Warning core
Trusted domain error. “138.246.253.15” tried to access using “www.inrijen.nl.” as host.
2017-10-04T23:38:02+0200

Where “138.246.253.15” is the "Technische Universitaet Muenchen"
Then comes:

Error PHP
Exception: The requested uri(/.well-known/ct/v1/sct-feedback) cannot be processed
by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729
2017-10-04T23:38:03+0200

for 8 times within 2 seconds.

Very strange, is this serious?

NextCees · October 5, 2017, 10:39am

Need to add that the requested uri differs each message:

uri(/.well-known/ct/v1/sct-gossip)
uri(/ct/v1/sct-gossip) c
uri(/ct/v1/sth-gossip)
uri(/.well-known/ct/v1/collected-sct-feedback)
uri(/ct/v1/sct-feedback)
uri(/.well-known/ct/v1/sth-pollination)
uri(/topleveldir/subdir/research-feedback)

Somebody trying different options?

pr4xx · October 5, 2017, 10:45am

Same log messages on my system but with different urls.

amanusk · October 7, 2017, 10:38am

Looks like 138.246.253.15 was trying many nextcloud domains. Wonder if this means some vulnerability was found.

ReinisN · January 16, 2018, 8:00am

I also spent quite a lot of time investing such issues on my site. As usually all my paranoiac thoughts where explained really simply

The guilty party was OpenVAS security scanner, which once a week scanned my server for vulnerabilities from different network…

alfred · January 17, 2018, 1:29pm

Yeah, OpenVAS scans a lot of things which is pretty awesome. It is another good tool for keeping your systems/network secure.