Somebody wants to bruteforce my Nextcloud and some Fatal errors webdav

optimistic5 · 2018-06-19 14:57:05 UTC

Nextcloud version (13.0.4)
Operating system and version (Ubuntu 16.04)
Apache version (Apache/2.4.18 (Ubuntu))
PHP version (7.0.30-0ubuntu0.16.04.1)

Recently I had a lot of Warnings in my ncdomain/settings/admin/logging

somebody want to brutefore me.
I added line
'auth.bruteforce.protection.enabled' => true,
to config.php
Looks like it is much less Warnings now.

I don’t know if it is connected, but now I have a lot of Fatal like this:

https://pastebin.com/MP35XRPP
https://pastebin.com/H8WhsHFX

Should I do something after adding line
'auth.bruteforce.protection.enabled' => true,
to config.php ? Is it enough for protection from bruteforce?
2. How to check have I been pwned?
3. What does this Fatals means? How to fix it?

stratege1401 · 2018-06-19 15:43:26 UTC

Welcome to the unsecured world of the internet.

Personally, i have done the following steps to try to protect my server:

HTTPS enable.
Firewalled rules who drops anything excepts my rules.
Fail2ban monitoring who simply ban any IP souces who failed to any rules authorized more than 3 times ( like ssh, http, postfix ).

Of courses, toy can try to use nextcloud tools or apps, but securing your server come first.

optimistic5 · 2018-06-20 06:34:36 UTC

Please, tell about Fail2ban more.
I saw that it were some apps for Nextcloud - Fail2ban, but now it is archived.
OwnCloud has btuteforce protection app, but I didn’t find such app in Nextcloud.

Sanook · 2018-06-20 11:30:55 UTC

https://apps.nextcloud.com/apps/bruteforcesettings

MeiRos · 2018-06-20 11:42:28 UTC

You’ll get trusted domain errors if you or someone else tryes to access to your server using server ip or domain, which is not listed as trusted domain in config.php. Mostly it’s just harmles bot crawling around.
Bruteforce app you’ll need if you see errors about bad password. It will block ip after few wrong password.

Webdav errors in the middle. Insufficien storage. Are you running out of space?

optimistic5 · 2018-06-21 11:59:49 UTC

Yes, I installed this app, but there are no settings for brutfore and blocking.
This is screenshot from OwnCloud app

This is from Nextcloud, only IP range.

Interesting. I tryed to imagine this, but have no idea how they do it. How can I repeat it? I’m curious.

No I have enough space. I use smb external storage and some of this storage configured only for reading. Maybe this is a reason?

stratege1401 · 2018-06-21 12:11:28 UTC

This is why you need to secure your server on kernel level and not app levels.
Fail2ban+iptables = kernel level
nextcloud = app

MeiRos · 2018-06-21 13:48:52 UTC

Well, I have 3 months old VPS running Nextcloud. I have untrusted domain errors quite often and mostly the same domain. I bet it’s the old owner’s domain and still configured to IP, which is my server IP now. It can be misconfiguration also. Just wait and the errors will propably stop. If it’s made on purpose, that’s something I don’t know why…

alfred · 2018-06-21 15:52:35 UTC

No, locking problems probably because of not using Redis.

MichaIng · 2018-06-22 12:54:14 UTC

Nextcloud bruteforce protection app is good enough until you regularly face bot actions. Also I think the app does not ban based on untrusted domain issues, just on wrong login authentication? Although it is not risky, the error messages are simply annoying I guess, thus you want to block them in the first place.

Fail2ban indeed is the more powerful compete solution. You can let it watch the nextcloud log and configure your own ban rules based on the error messages you face. When some specific bot/IP/error does not disappear, you can let iptables block it permanently.

I can post some fail2ban nextcloud jail later, that I successfully used some time ago.

optimistic5 · 2018-06-22 14:11:18 UTC

Thanks to all.
In Nextcloud I use only external storage, so I thought that I have enough free space in my ubuntu.
But I just find out that I probably run out of free space.
I added some space I’ll monitor logs.
Than I will try to use Redis, as you suggested.

tflidd · 2018-06-22 20:49:09 UTC

Regarding the trusted domain, it depends what you want to do. If you want to access your cloud via the ip/different hostname as well, add the IP to your trusted hosts. If you don’t want to use the IP directly, you could either set up a virtual host for direct ip access (with an empty page), redirect them (htaccess & rewrite rules) or just keep the trusted domain errors.