Somebody wants to bruteforce my Nextcloud and some Fatal errors webdav

Nextcloud version (13.0.4)
Operating system and version (Ubuntu 16.04)
Apache version (Apache/2.4.18 (Ubuntu))
PHP version (7.0.30-0ubuntu0.16.04.1)

Recently I had a lot of Warnings in my ncdomain/settings/admin/logging

somebody want to brutefore me.
I added line
'auth.bruteforce.protection.enabled' => true,
to config.php
Looks like it is much less Warnings now.

I don’t know if it is connected, but now I have a lot of Fatal like this:

https://pastebin.com/MP35XRPP
https://pastebin.com/H8WhsHFX

  1. Should I do something after adding line
    'auth.bruteforce.protection.enabled' => true,
    to config.php ? Is it enough for protection from bruteforce?
    2. How to check have I been pwned?
    3. What does this Fatals means? How to fix it?

Welcome to the unsecured world of the internet.

Personally, i have done the following steps to try to protect my server:

  • HTTPS enable.
  • Firewalled rules who drops anything excepts my rules.
  • Fail2ban monitoring who simply ban any IP souces who failed to any rules authorized more than 3 times ( like ssh, http, postfix ).

Of courses, toy can try to use nextcloud tools or apps, but securing your server come first.

1 Like

Please, tell about Fail2ban more.
I saw that it were some apps for Nextcloud - Fail2ban, but now it is archived.
OwnCloud has btuteforce protection app, but I didn’t find such app in Nextcloud.

You’ll get trusted domain errors if you or someone else tryes to access to your server using server ip or domain, which is not listed as trusted domain in config.php. Mostly it’s just harmles bot crawling around.
Bruteforce app you’ll need if you see errors about bad password. It will block ip after few wrong password.

Webdav errors in the middle. Insufficien storage. Are you running out of space?

Yes, I installed this app, but there are no settings for brutfore and blocking.
This is screenshot from OwnCloud app


This is from Nextcloud, only IP range.
https://i.imgur.com/1Q5WUox.png

Interesting. I tryed to imagine this, but have no idea how they do it. How can I repeat it? I’m curious.

No I have enough space. I use smb external storage and some of this storage configured only for reading. Maybe this is a reason?

This is why you need to secure your server on kernel level and not app levels.
Fail2ban+iptables = kernel level
nextcloud = app

1 Like

Well, I have 3 months old VPS running Nextcloud. I have untrusted domain errors quite often and mostly the same domain. I bet it’s the old owner’s domain and still configured to IP, which is my server IP now. It can be misconfiguration also. Just wait and the errors will propably stop. If it’s made on purpose, that’s something I don’t know why…

1 Like

No, locking problems probably because of not using Redis.

2 Likes

Nextcloud bruteforce protection app is good enough until you regularly face bot actions. Also I think the app does not ban based on untrusted domain issues, just on wrong login authentication? Although it is not risky, the error messages are simply annoying I guess, thus you want to block them in the first place.

Fail2ban indeed is the more powerful compete solution. You can let it watch the nextcloud log and configure your own ban rules based on the error messages you face. When some specific bot/IP/error does not disappear, you can let iptables block it permanently.

I can post some fail2ban nextcloud jail later, that I successfully used some time ago.

1 Like

Thanks to all.
In Nextcloud I use only external storage, so I thought that I have enough free space in my ubuntu.
But I just find out that I probably run out of free space.
I added some space I’ll monitor logs.
Than I will try to use Redis, as you suggested.

Regarding the trusted domain, it depends what you want to do. If you want to access your cloud via the ip/different hostname as well, add the IP to your trusted hosts. If you don’t want to use the IP directly, you could either set up a virtual host for direct ip access (with an empty page), redirect them (htaccess & rewrite rules) or just keep the trusted domain errors.

@MichaIng, can you tell a little bit more about Fail2ban and Nextcloud?
I still receive warnings
https://i.imgur.com/LLtulFd.png

Check this out --> https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24

You must have firewall like iptables or something.

UPDATE: Just checked your logs, this is trusted Domain error, not like somebody try to login and it fails. You have to update Fail2Ban settings to check Trusted Domain Error too.

I much prefer configserver (csf) over fail2ban. Perhaps due to using it on many servers but I find it far more versatile and easy(ish) to configure/monitor.

apt install fail2ban default install just checks and blocks SSH authentications.

You don’t necessarily need iptables, it can also use the route table to block hosts/IPs. But not sure about the pros/cons in detail, both works reliable on kernel level. netfilter vs route tables basically.

As said to block Nextcloud specific authentication failures, you need to define an own fail2ban filter. I can check out later how to do that, including your trusted authentication error. That cries for a how-to actually :smiley:.
The link above is a start, but it only covers login failures (that are already handled by Nextcloud internal brute force protection), AFAIK, not the trusted domain errors, as mentioned above.
Would be great if we could provide a more compete filter+jail and add this to how-to + Nextcloud docs/resources.

€: I was digging in my personal docs and found my old Nextcloud login fail2ban config steps. Based on the actual log entries for trusted domain errors, this can be easily modified to block those as well: