it came to my attention that an already set up Nextcloud with Fail2ban doesnât ban properly after the update to Nextcloud 17. The regular expression used up to Nextcloud 16 (e.g. in /etc/fail2ban/filter.d/nextcloud.local) doesnât match the log entries on Nextcloud 17.
Iâve updated the contents of the filter file for Nextcloud to this one:
Just to clarify a bit about what exactly changed, because other users may have slightly different regex in use and would like to keep changes to small adaptions.
Before NC 17 the log entries looked like: ..."message":"Login failed: 'user1' (Remote IP: '12.34.56.78')"...
With NC 17 that changed to: ..."message":"Login failed: user1 (Remote IP: 12.34.56.78)"...
So the single quotes around the username and the IP address have been removed.
Yes, this is totally okay. You can have multiple regex included, just like you have right now.
Just question from my side, because I stumbled accross that myself before: have you seen log entries for your first regex lately? Is that for an earlier NC version as well? ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
I have a questio, maybe I am completely off the track here, but why should the regex be that specific?
Things like "time":.* arenât really necessary to properly match the login attempt, therefore they only complicate things right?
I agree. I wasnât brave enough yet, to remove most of the additional and specific entries
However, what you should definitely remove is: "app":"core"
Because this will not be contained in every âLogin failedâ log entry and sometimes contain "app":"no app in context"
Example from my logs:
{"reqId":"0q6S7d7f7as23","level":2,"time":"2019-10-04T14:20:18+02:00","remoteAddr":"12.34.56.78","user":"--","app":"no app in context","method":"POST","url":"\/login","message":"Login failed: pi (Remote IP: 12.34.56.78)","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko\/20100101 Firefox\/68.0","version":"17.0.0.9"}
My log file is pretty huge containing a long time range and when grepping for the first regex, I find no entry. Only for the second and the third @Reiner_Nippes
So if this entry is not needed for NC13, NC14 or some old versions like that, I think it can be removed.
Not very clean, I know, but as mentioned I wasnât very brave yet
Very likely this would be totally fine as well: ^{.*"message":"Login failed: .* \(Remote IP: <HOST>\)".*}$
I wasnât aware that his could happen - Thank you. I though that core is always used for the authentication, thatâs why I deliberately stated "app": "core".
I now finally removed the first failregex line, I think that it was build for nc 11 or 12 but I am not sure, it is quite old and did not interfere with the rest thatâs why I left it in.
First line format from your screenshot is deprecated with NC 17+. I do not know why, but it is.
So, basically you need only 2 last lines to get all works. The first one only valid for NC 16 and before.