I am using apache.
I have not done the rewrite like you mentioned, but I did leave nextcloud as the default of my IP. I have changed it now. Guess I won’t be getting these any more
I have that issue too, so you can configure fail2ban if a client generates too much 404s then it gets blocked?
I have configured a new filter in /etc/fail2ban/filter.d/nextcloud2.conf
The content is:
[INCLUDES]
before = common.conf
[Definition]
failregex = Trusted domain error. \\"<HOST>\\" tried to access using \\"<replace_by_your_ip>*\\" as host.
ignoreregex =
You also need to add the jail filter in:
In /etc/fain2ban/jail.local
I have
[nextcloud2]
enabled = true
port = http,https
filter = nextcloud2
logpath = /var/log/nextcloud.log
maxretry = 1
findtime = 1
bantime = 604800 ; 1 week
You need to put your own IP, and your nextcloud log file for fail2ban to read.
An access using the IP will ban the IP for a week.
Just get something simular. At first there is:
- Warning core
- Trusted domain error. “138.246.253.15” tried to access using “www.inrijen.nl.” as host.
- 2017-10-04T23:38:02+0200
Where “138.246.253.15” is the "Technische Universitaet Muenchen"
Then comes:
- Error PHP
- Exception: The requested uri(/.well-known/ct/v1/sct-feedback) cannot be processed
- by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729
- 2017-10-04T23:38:03+0200
for 8 times within 2 seconds.
Very strange, is this serious?
Need to add that the requested uri differs each message:
- uri(/.well-known/ct/v1/sct-gossip)
- uri(/ct/v1/sct-gossip) c
- uri(/ct/v1/sth-gossip)
- uri(/.well-known/ct/v1/collected-sct-feedback)
- uri(/ct/v1/sct-feedback)
- uri(/.well-known/ct/v1/sth-pollination)
- uri(/topleveldir/subdir/research-feedback)
Somebody trying different options?
Same log messages on my system but with different urls.
Looks like 138.246.253.15 was trying many nextcloud domains. Wonder if this means some vulnerability was found.
I also spent quite a lot of time investing such issues on my site. As usually all my paranoiac thoughts where explained really simply
The guilty party was OpenVAS security scanner, which once a week scanned my server for vulnerabilities from different network…
Yeah, OpenVAS scans a lot of things which is pretty awesome. It is another good tool for keeping your systems/network secure.