Suspicious login from router IP

Nextcloud version (eg, 20.0.5): Nextcloud Hub 3 (25.0.10)
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.6 LTS
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.41
PHP version (eg, 7.4): 7.4.3

The issue you are facing:

I get the following notification

A new login into your account was detected. The IP address was classified as suspicious.

What I don’t understand is how a login appears to come from my router. I would expect to see local IP addresses other than that one.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:
I don’t have exact steps other than to enable the Suspicious Login app.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"EK4I7BBlBZSEPpGHWNUZ","level":2,"time":"2023-08-25T17:08:01+00:00","remoteAddr":"","user":"dbolton","app":"suspicious_login","method":"GET","url":"/index.php/apps/news/api/v1-2/items/updated?type=3&lastModified=1692895528","message":"Detected a login from a suspicious login. user=dbolton ip= strategy=ipv4","userAgent":"okhttp/4.10.0","version":"","data":{"app":"suspicious_login"},"id":"64ebe0d1ebb36"}
{"reqId":"zzojD7Mw9gM1ZjxhONYV","level":2,"time":"2023-08-25T04:43:32+00:00","remoteAddr":"","user":"dbolton","app":"suspicious_login","method":"PROPFIND","url":"/remote.php/dav/addressbooks/users/dbolton/default/","message":"Detected a login from a suspicious login. user=dbolton ip= strategy=ipv4","userAgent":"DAVx5/ (2023/08/12; dav4jvm; okhttp/4.11.0) Android/12","version":"","data":{"app":"suspicious_login"},"id":"64ebe1f6bac65"}

Note: this error reoccurs frequently (sometimes multiple times per minute, some days not at all). URLs and usernames vary.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '###',
  'passwordsalt' => '###',
  'secret' => '###',
  'trusted_domains' => 
  array (
    0 => '',
    1 => '',
    2 => '',
  'datadirectory' => '/var/www/owncloud/data',
  'overwrite.cli.url' => '',
  'htaccess.RewriteBase' => '/',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'oc',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_###',
  'dbpassword' => '###',
  'loglevel' => 2,
  'log_rotate_size' => 104857600,
  'logtimezone' => 'UTC',
  'installed' => true,
  'theme' => '',
  'maintenance' => true,
  'updatechecker' => false,
  'singleuser' => false,
  'updater.server.url' => '',
  '' => 'stable',
  'data-fingerprint' => '###',
  'mysql.utf8mb4' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '###',
  'mail_domain' => '',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => '',
  'mail_smtpport' => '465',
  'mail_smtpname' => '',
  'mail_smtppassword' => '###',
  'default_phone_region' => 'US',

The output of your Apache/nginx/system log in /var/log/____:

[Mon Aug 28 00:00:06.525417 2023] [http2:warn] [pid 799] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Mon Aug 28 00:00:06.736936 2023] [mpm_prefork:notice] [pid 799] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Mon Aug 28 00:00:06.736965 2023] [core:notice] [pid 799] AH00094: Command line: '/usr/sbin/apache2'


Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

  • Does this only when accessing your instance from your local network?
  • Do you access your NC instance via only one URL or use a different one depending on location?
  • Do any of your nextcloud.log entries have a different IP address than the ones you listed ("remoteAddr":"")?
  • Any subnetting of 192.168.1.x?
  • Do you have a reverse proxy?