Nextcloud 17 and Fail2ban: Please check your regular expression

Hello there,

it came to my attention that an already set up Nextcloud with Fail2ban doesn’t ban properly after the update to Nextcloud 17. The regular expression used up to Nextcloud 16 (e.g. in /etc/fail2ban/filter.d/nextcloud.local) doesn’t match the log entries on Nextcloud 17.

I’ve updated the contents of the filter file for Nextcloud to this one:


[Definition]
            ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

It may be a good idea to test you Nextcloud/Fail2ban installation now and change the regex if no ban takes place.

3 Likes

Thanks you!

I will wait a few days before update NC to v17, because I am busy in my work, and then I will test your regular expression

Hi,

Very good catch @DecaTec!

Just to clarify a bit about what exactly changed, because other users may have slightly different regex in use and would like to keep changes to small adaptions.

Before NC 17 the log entries looked like:
..."message":"Login failed: 'user1' (Remote IP: '12.34.56.78')"...

With NC 17 that changed to:
..."message":"Login failed: user1 (Remote IP: 12.34.56.78)"...

So the single quotes around the username and the IP address have been removed.

@Schmu is it ok to have both lines in the conf file? or do i have to check which version of nc is installed?

Hi @Reiner_Nippes

Yes, this is totally okay. You can have multiple regex included, just like you have right now.

Just question from my side, because I stumbled accross that myself before: have you seen log entries for your first regex lately? Is that for an earlier NC version as well?
^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$

I have a questio, maybe I am completely off the track here, but why should the regex be that specific?
Things like "time":.* aren’t really necessary to properly match the login attempt, therefore they only complicate things right?

These are my failregex rules btw :

failregex = ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
            ^{"reqId":".*",.*,"app":"core",.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)",.*}$
            ^{"reqId":".*",.*,"app":"core",.*,"message":"Login failed: .* \(Remote IP: <HOST>\)",.*}$            

If I am wrong here please correct me. I am quite curious.

copy&paste :slight_smile:
https://www.c-rieger.de/nextcloud-installation-guide-ubuntu-18-04/#c06

@mightyBroccoli i had the same idea.

I agree. I wasn’t brave enough yet, to remove most of the additional and specific entries :smiley:

However, what you should definitely remove is: "app":"core"
Because this will not be contained in every “Login failed” log entry and sometimes contain "app":"no app in context"
Example from my logs:

{"reqId":"0q6S7d7f7as23","level":2,"time":"2019-10-04T14:20:18+02:00","remoteAddr":"12.34.56.78","user":"--","app":"no app in context","method":"POST","url":"\/login","message":"Login failed: pi (Remote IP: 12.34.56.78)","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko\/20100101 Firefox\/68.0","version":"17.0.0.9"}

My log file is pretty huge containing a long time range and when grepping for the first regex, I find no entry. Only for the second and the third @Reiner_Nippes
So if this entry is not needed for NC13, NC14 or some old versions like that, I think it can be removed.

My regex currently (for NC17):

[Definition]
failregex= ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":".*".*","message":"Login failed: .* \(Remote IP: <HOST>\)".*}$

Not very clean, I know, but as mentioned I wasn’t very brave yet :wink:
Very likely this would be totally fine as well:
^{.*"message":"Login failed: .* \(Remote IP: <HOST>\)".*}$

btw: anyone knows how to get this working on centos/fedora with selinux on?

i only could find this thread: https://forum.owncloud.org/viewtopic.php?t=25708
the solution mentioned there is to move the nextcloud.log to /var/log.

I wasn’t aware that his could happen - Thank you. I though that core is always used for the authentication, that’s why I deliberately stated "app": "core".

I now finally removed the first failregex line, I think that it was build for nc 11 or 12 but I am not sure, it is quite old and did not interfere with the rest that’s why I left it in.

[Definition]
failregex = ^{.*Login failed: '.*' \(Remote IP: '<HOST>'.*}$
            ^{.*Login failed: .* \(Remote IP: <HOST>.*}$

Works for me on NC16 and should also do for NC17.

3 Likes

Thanks you! Your code is more simple and easy to read.

It works on Nextcloud 17.0.1