Nextcloud 17 and Fail2ban: Please check your regular expression

Hello there,

it came to my attention that an already set up Nextcloud with Fail2ban doesn’t ban properly after the update to Nextcloud 17. The regular expression used up to Nextcloud 16 (e.g. in /etc/fail2ban/filter.d/nextcloud.local) doesn’t match the log entries on Nextcloud 17.

I’ve updated the contents of the filter file for Nextcloud to this one:


[Definition]
            ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

It may be a good idea to test you Nextcloud/Fail2ban installation now and change the regex if no ban takes place.

3 Likes

Thanks you!

I will wait a few days before update NC to v17, because I am busy in my work, and then I will test your regular expression

Hi,

Very good catch @DecaTec!

Just to clarify a bit about what exactly changed, because other users may have slightly different regex in use and would like to keep changes to small adaptions.

Before NC 17 the log entries looked like:
..."message":"Login failed: 'user1' (Remote IP: '12.34.56.78')"...

With NC 17 that changed to:
..."message":"Login failed: user1 (Remote IP: 12.34.56.78)"...

So the single quotes around the username and the IP address have been removed.

@Schmu is it ok to have both lines in the conf file? or do i have to check which version of nc is installed?

Hi @Reiner_Nippes

Yes, this is totally okay. You can have multiple regex included, just like you have right now.

Just question from my side, because I stumbled accross that myself before: have you seen log entries for your first regex lately? Is that for an earlier NC version as well?
^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$

I have a questio, maybe I am completely off the track here, but why should the regex be that specific?
Things like "time":.* aren’t really necessary to properly match the login attempt, therefore they only complicate things right?

These are my failregex rules btw :

failregex = ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
            ^{"reqId":".*",.*,"app":"core",.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)",.*}$
            ^{"reqId":".*",.*,"app":"core",.*,"message":"Login failed: .* \(Remote IP: <HOST>\)",.*}$            

If I am wrong here please correct me. I am quite curious.

copy&paste :slight_smile:
https://www.c-rieger.de/nextcloud-installation-guide-ubuntu-18-04/#c06

@mightyBroccoli i had the same idea.

I agree. I wasn’t brave enough yet, to remove most of the additional and specific entries :smiley:

However, what you should definitely remove is: "app":"core"
Because this will not be contained in every “Login failed” log entry and sometimes contain "app":"no app in context"
Example from my logs:

{"reqId":"0q6S7d7f7as23","level":2,"time":"2019-10-04T14:20:18+02:00","remoteAddr":"12.34.56.78","user":"--","app":"no app in context","method":"POST","url":"\/login","message":"Login failed: pi (Remote IP: 12.34.56.78)","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko\/20100101 Firefox\/68.0","version":"17.0.0.9"}

My log file is pretty huge containing a long time range and when grepping for the first regex, I find no entry. Only for the second and the third @Reiner_Nippes
So if this entry is not needed for NC13, NC14 or some old versions like that, I think it can be removed.

My regex currently (for NC17):

[Definition]
failregex= ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":".*".*","message":"Login failed: .* \(Remote IP: <HOST>\)".*}$

Not very clean, I know, but as mentioned I wasn’t very brave yet :wink:
Very likely this would be totally fine as well:
^{.*"message":"Login failed: .* \(Remote IP: <HOST>\)".*}$

btw: anyone knows how to get this working on centos/fedora with selinux on?

i only could find this thread: https://forum.owncloud.org/viewtopic.php?t=25708
the solution mentioned there is to move the nextcloud.log to /var/log.

I wasn’t aware that his could happen - Thank you. I though that core is always used for the authentication, that’s why I deliberately stated "app": "core".

I now finally removed the first failregex line, I think that it was build for nc 11 or 12 but I am not sure, it is quite old and did not interfere with the rest that’s why I left it in.

[Definition]
failregex = ^{.*Login failed: '.*' \(Remote IP: '<HOST>'.*}$
            ^{.*Login failed: .* \(Remote IP: <HOST>.*}$

Works for me on NC16 and should also do for NC17.

3 Likes

Thanks you! Your code is more simple and easy to read.

It works on Nextcloud 17.0.1

Hi All,

I’m on 17.03.

/etc/fail2ban/filter.d/nextcloud.conf:
[Definition]
failregex=^{.Login failed: . (Remote IP: ).}$
^{.Login failed: . (Remote IP: ‘’).
}$
^.“remoteAddr”:"".Trusted domain error.$
^{.Login failed: '.’ (Remote IP: ‘’.
}$
^{.Login failed: . (Remote IP: .*}$

/etc/fail2ban/jail.d/nextcloud.local:
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
#Number of retrys before to ban
maxretry = 3
#time in seconds
bantime = 36000
findtime = 36000
logpath = /mnt/ssd1TB_A/nextcloud/data/nextcloud.log << PATH IS CORRECT

fail2ban-regex /mnt/ssd1TB_A/nextcloud/data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf --print-all-matched:

Running tests
Use failregex filter file : nextcloud, basedir: /etc/fail2ban
Use single line : /mnt/ssd1TB_A/nextcloud/data/nextcloud.log

Results
Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.07 sec]

|- Missed line(s):
| /mnt/ssd1TB_A/nextcloud/data/nextcloud.log

Any idea what’s going on…?

Thanks very much.

Try with:

/etc/fail2ban/filter.d/nextcloud.conf

[Definition]
failregex=^{.Login failed: '.’ (Remote IP: ‘’.}$
^{.Login failed: . (Remote IP: .
}$
^.*“remoteAddr”:"".Trusted domain error.$

That was also discussion here:

and here:

I try to push similar solution, but at the end it was taken this one:

before = common.conf

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+" \w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
ignoreregex =

[Definition]
failregex=^{.Login failed: ‘.’ (Remote IP: ‘’.}$
^{.Login failed: . (Remote IP: .}$
^.*“remoteAddr”:"".Trusted domain error.$

ignoreregex =

pi@raspberrypi4:/etc/fail2ban $ sudo fail2ban-regex /mnt/ssd1TB_A/nextcloud/data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf --print-all-matched

Running tests

Use failregex filter file : nextcloud, basedir: /etc/fail2ban
ERROR: Unable to compile regular expression ‘^{.Login failed: ‘.’ (Remote IP: ‘.’}$’

Your first link works, thank you!

[Definition]
failregex=^{.Login failed: . (Remote IP: ).}$
^.
“remoteAddr”:"".Trusted domain error.$
ignoreregex =

2 Likes

I tried to ban my self with the filter I gave you and works fine with NextCloud v17.0.3:

This is the filter: (I paste an image so you can view it)
2

And the attemp of see if Regex works: 6 lines match with the Regex

And I’m glad you finally got it to work :grinning:

1 Like

First line format from your screenshot is deprecated with NC 17+. I do not know why, but it is.
So, basically you need only 2 last lines to get all works. The first one only valid for NC 16 and before.

1 Like

Oh I did not know it was for older versions, so I will delete it, thanks you!