Nextcloud version (eg, 20.0.5): Nextcloud Hub 3 (25.0.10)
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.6 LTS
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.41
PHP version (eg, 7.4): 7.4.3
The issue you are facing:
I get the following notification
A new login into your account was detected. The IP address 192.168.1.1 was classified as suspicious.
What I don’t understand is how a login appears to come from my router. I would expect to see local IP addresses other than that one.
Is this the first time you’ve seen this error? (Y/N): N
Steps to replicate it:
I don’t have exact steps other than to enable the Suspicious Login app.
The output of your Nextcloud log in Admin > Logging:
{"reqId":"EK4I7BBlBZSEPpGHWNUZ","level":2,"time":"2023-08-25T17:08:01+00:00","remoteAddr":"192.168.1.1","user":"dbolton","app":"suspicious_login","method":"GET","url":"/index.php/apps/news/api/v1-2/items/updated?type=3&lastModified=1692895528","message":"Detected a login from a suspicious login. user=dbolton ip=192.168.1.1 strategy=ipv4","userAgent":"okhttp/4.10.0","version":"25.0.10.1","data":{"app":"suspicious_login"},"id":"64ebe0d1ebb36"}
{"reqId":"zzojD7Mw9gM1ZjxhONYV","level":2,"time":"2023-08-25T04:43:32+00:00","remoteAddr":"192.168.1.1","user":"dbolton","app":"suspicious_login","method":"PROPFIND","url":"/remote.php/dav/addressbooks/users/dbolton/default/","message":"Detected a login from a suspicious login. user=dbolton ip=192.168.1.1 strategy=ipv4","userAgent":"DAVx5/4.3.5.2-ose (2023/08/12; dav4jvm; okhttp/4.11.0) Android/12","version":"25.0.10.1","data":{"app":"suspicious_login"},"id":"64ebe1f6bac65"}
Note: this error reoccurs frequently (sometimes multiple times per minute, some days not at all). URLs and usernames vary.
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '###',
'passwordsalt' => '###',
'secret' => '###',
'trusted_domains' =>
array (
0 => '192.168.1.167',
1 => '###.com',
2 => '###.###.com',
),
'datadirectory' => '/var/www/owncloud/data',
'overwrite.cli.url' => 'https://###.###.com/',
'htaccess.RewriteBase' => '/',
'dbtype' => 'mysql',
'version' => '25.0.10.1',
'dbname' => 'oc',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'oc_###',
'dbpassword' => '###',
'loglevel' => 2,
'log_rotate_size' => 104857600,
'logtimezone' => 'UTC',
'installed' => true,
'theme' => '',
'maintenance' => true,
'updatechecker' => false,
'singleuser' => false,
'updater.server.url' => 'https://updates.nextcloud.com/updater_server/',
'updater.release.channel' => 'stable',
'data-fingerprint' => '###',
'mysql.utf8mb4' => true,
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'ssl',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => '###',
'mail_domain' => '###.com',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.zoho.com',
'mail_smtpport' => '465',
'mail_smtpname' => '###@###.com',
'mail_smtppassword' => '###',
'default_phone_region' => 'US',
);
The output of your Apache/nginx/system log in /var/log/____:
[Mon Aug 28 00:00:06.525417 2023] [http2:warn] [pid 799] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Mon Aug 28 00:00:06.736936 2023] [mpm_prefork:notice] [pid 799] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Mon Aug 28 00:00:06.736965 2023] [core:notice] [pid 799] AH00094: Command line: '/usr/sbin/apache2'
PASTE HERE
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
PASTE HERE