Just for reference, this is what I did to enable fail2ban for Nextcloud logins:
cat << _EOF_ > /etc/fail2ban/filter.d/nextcloud.conf
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =
_EOF_
cp jail.conf jail.local
cat << _EOF_ >> /etc/fail2ban/jail.local
[nextcloud]
enabled = true
port = http,https
#protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 600
logpath = /path/to/nextcloud.log
_EOF_
systemctl restart fail2ban
This of course is just for failed login attempts and not sure if this is still current .
I don’t remember exactly, but I guess jail.local
will be preferred over jail.conf
, so this allows to keep the original jail.conf
in case or failure, to allow automated APT updates etc.
For trusted domain errors, it could be something like this:
failregex={"reqId":".*","level":2,"time":".*","remoteAddr":"<HOST>",.*,"message":"Trusted domain error.*",.*}`
I just took the string from here: Trusted domain error from external - security issue?
To be sure, check how exactly the logs appear within your nextcloud.log
.
That iptables -A INPUT -s 183.60.210.52 -j DROP
does not work is indeed very strange. This should block on kernel level via netfilter, no idea how this can fail .
But good you found an alternative .