Server Errors on Login lead to throttling?

Justus_Wingert · August 13, 2023, 10:07am

Nextcloud version (eg, 20.0.5): 27.0.2
Operating system and version (eg, Ubuntu 20.04): Centos 7
Apache or nginx version (eg, Apache 2.4.25): nginx 1.20.1
PHP version (eg, 7.4): 8.1.22

When something goes wrong in the setup (in my case usually the session folder being inaccessible) any login attempt is counted as a failed login attempt despite the fact, that the right password was entered. This is massively annoying when trying to debug what’s going on as an admin.

Steps to replicate it:

Change permissions of the session folder so no Session can be created.
Attempt logging in.
Get throttled and then banned.

The output of your Nextcloud log in Admin > Logging:

Information	no app in context	IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 25000, ip: IP]		2023-08-13T11:49:27+0200
Information	core	Bruteforce attempt from "IP" detected for action "login".		2023-08-13T11:49:27+0200
Fehler	PHP	session_start(): Failed to read session data: files (path: /var/lib/php/session) at /var/www/nextcloud/lib/private/Session/Internal.php#222		2023-08-13T11:49:27+0200
Fehler	PHP	session_start(): open(/var/lib/php/session/sess_3qhfg3g4d7ivts8fcabvkik4ah, O_RDWR) failed: Permission denied (13) at /var/www/nextcloud/lib/private/Session/Internal.php#222		2023-08-13T11:49:27+0200

jtr · August 15, 2023, 7:02pm

Does your session folder end up with the wrong permissions routinely? If so, that would seem the issue to troubleshoot.

But in any case, there’s nothing stopping you from disabling brute force protection at your discretion:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#auth-bruteforce-protection-enabled

Note brute force protection just slows down login attempts. It doesn’t ban you.

Maybe you also have fail2ban setup and that’s kicking in?

https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html?highlight=ban#setup-fail2ban

I guess I get what you’re saying where it is frustrating to be slowed down and/or banned when some other issue is causing login problems, but these other issues shouldn’t be a regular occurrence. If they are, they should probably be addressed.

I think fail2ban can also be setup to exclude your local IP addresses so that might also help you.

Mherrif · August 30, 2023, 9:27am

Hello,

I have a similar issue; it seems some Android client fails to login which then in turn leads to the following error/ throttling:

IP address throttled because it reached the attempts limit in the last 30 minutes [action: login

The troubling point for me is that a) the ip address is the address of the reverse proxy and b) that the error does not explain WHICH account / is actually troubling. Instead, everybody is punished.

→ So, how to know the user name in charge for the login failure?

Aron