NextCloud additional security

I have just installed nextcloud and going through my security checklist and additional secure scripting with GitHub - tower9/hostblock: Automatic blocking of suspicious remote IP hosts - tool monitors log files for suspicious activity to automatically deny further access with iptables..
On my other webserver with nginx/django I am using a script which checks the logs and if some IPs is constantly checking paths that goes to 404 doesnt exists i mark that IP and put to a blacklist after time.
The thing with nextcloud logs it is redirecting to login page all the time and i cant catch bad behavior 404.
It is handeling as redirects and after obvious 200 as login page
Please advice - - [15/Jun/2021:12:20:12 +0000] "GET /core/img/actions/toggle.svg HTTP/1.1" 200 1473 "-" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" - - [15/Jun/2021:12:20:12 +0000] "GET / HTTP/1.1" 302 6816 "-" "Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Fir
efox/33.0" - - [15/Jun/2021:12:20:13 +0000] "GET /index.php/login HTTP/1.1" 200 10442 "-" "Mozilla/5.0 (Windows NT 5.1; rv:33.0) Ge
cko/20100101 Firefox/33.0" - - [15/Jun/2021:12:31:12 +0000] "GET /core/js/dist/login.js?v=5fdb2892-0 HTTP/1.1" 200 216080 "-" "Mozilla/5.0 (Windows
 NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.71 Safari/537.36"

What about just counting the number of times an IP address hits /login? A legit user should only hit that a couple of times.

1 Like

hmmmmmmmm :stuck_out_tongue:
Good idea