Nextcloud version: 26.0.1
Operating system and version: Debian 11
Apache or nginx version: Apache 2.4.56-1
PHP version: 8.1.18
The issue you are facing:
Hi,
I’ve recently noticed some strange login attempts in my logs:
{"reqId":"ZEx1ieQ5D1RETtASJAONNgAAAJg","level":2,"time":"2023-04-29T01:40:25+00:00","remoteAddr":"20.121.119.77","user":"--","app":"core","method":"GET","url":"/system/console?.css","message":"Login failed: 'admin' (Remote IP: '20.121.119.77')","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36","version":"26.0.0.11","data":{"app":"core"}}
{"reqId":"ZE1wUQ8gcXmhfWqsNUaJrwAAAA4","level":2,"time":"2023-04-29T19:30:25+00:00","remoteAddr":"20.121.119.77","user":"--","app":"core","method":"GET","url":"/api/v3/users","message":"Login failed: 'rocketskates' (Remote IP: '20.121.119.77')","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36","version":"26.0.0.11","data":{"app":"core"}}
I have never had/created a user called rocketskates
on my server. Nor have I ever tried to login using something like this.
The same goes for admin
as far as I know. I use nextcloud-pi and the default admin user is ncp
, not admin
.
I looked up the IP that both of these requests came from and it seems that it’s from a machine in the United States.
My server is not based in the US, I have never been to the US, nor do I know anybody from the US.
Also, the number of people who know about my server (and the hostname) is limited.
What can I do to protect myself from this attack (and future ones)?
Any advice is helpful!
Thanks!