Suspicious Login - Permanent Notification after change of IPv4 address range

Hi,
few weeks ago i installed the app “Suspicious Login”. Meanwhile that app collected enough data (statistic data is available in admin settings). So far so good.

Over two weeks ago i changed my contract of my internet provider and i got a new “IPv4 range/address”, which seems to defer to the previous one. Now, every time i login to nextcloud, i get a notification for a potentially suspicious login.

Is it possible to relearn the algorithm but only for my user login (there are other users set up at my NC system)?

Regards,
mat33

You can go to Configuration - Security, and try to whitelist your new IP range.
Another option would be to completely uninstall the app and then reinstall it so that it does the complete learning again.

I hope this works for you.

@SrOscuro : Thanks for your suggestion. I tried that today. Around midday i deinstalled the app completely and installed it again afterwards. Now, in the evening i logged in and got the same notification / email about a unusual login attempt.

I guess the app is storing the trained data about IP adresses and other things in the database. Therefore the reinstall app is using the same data again.

Whitelisting of my IP adress or range does not make sense in my opinion because a range is “too much whitelisted”, and a single IP adress could be another every day, assigned by my internet provider.

Now i read about a command to train the system, i will try that ( https://github.com/nextcloud/suspicious_login ):

php -f occ suspiciouslogin:train

Thanks to the app “OCCweb” the execution of that command is also possible with my cloud provider instance.

I will write about the results in this thread so more users get that information.

The train-command helped me with my problem!
php -f occ suspiciouslogin:train

After the command finished its work I logged me out and in again and I got no such descripted notification anymore.

Thanks for this hint! I’ve been looking for the reason for this message. I am receiving this message as well from time to time, and when it happens, it is always related to my mobile phone, on which I use CalDAV/CardDAV. Digging the “suspicious” IP, I always was able to trace it back to my mobile net provider. So I guess it happens when my phone was assigned another IP between two CalDAV synchronizations.

One thing bothers me a bit, though: when the app has sent its message, a suspicious login has already taken place. Is there any way of making this app send its message before the suspicious login is granted?

Hi @weka. I don’t know, if this is possible.

Is there any way of making this app send its message before the suspicious login is granted?

What is the difference to “after login”? In both cases that user has access to the account. Or do you think about “IP was suspicious → login is not granted → the user has to allow this specific login in other way”?

to my mobile phone, on which I use CalDAV/CardDAV.

Do you use an app password or the web-login password? I don’t know how that addon works but maybe it checks only the IP during a web-login, not if using sync with app password.

What is the difference to “after login”? In both cases that user has access to the account.

Yes, that’s right. The difference is made by the time that passes between the login and the sending of the message:

If the “suspicious login” is an unwanted login, and if by any chance the attacker manages to keep the mail system from sending the mail once he is logged in, the rightful owner will never know about this.

But if the message is send before the suspicious login process is finished, that message will be on its way long before any action can be taken against its sending.

Good point, I have no answer to this. Maybe someone else?