There were some bruteforce attempts but they're strange

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 27.0.2
Operating system and version (eg, Ubuntu 20.04): Linux 6.1.0-0.deb11.11-amd64 x86_64
Apache or nginx version (eg, Apache 2.4.25): linuxserver/nextcloud image
PHP version (eg, 7.4): 8.2.9
Docker image: linuxserver/nextcloud, linuxserver/mariadb, jc21/nginx-proxy-manager

The issue you are facing:

The log showed that the following brute force attack was in progress. They showed someone tried logging in through three logs, two Samsung Galaxy devices and Windows, but none of them are my IP and I have never used the Galaxy devices in the log.
If it was a brute force attack through login page, fail2ban would have prevented it, but since nothing appears in fail2ban status, it does not appear to be attacks to log in page.

My server is using a reverse proxy.

There are two accounts in this cloud. One is mine and one is my friend’s. I had chatted through talk in the past, but I have not been using it recently, and the two Galaxy devices in the log are not the devices my friend uses.
An ip using windows is from Seoul, South Korea, but we are living in Korea not Seoul.

The url in the log was /apps/spreed/, so I deleted the talk app and took the server offline.

I’m not sure what talkroomtoken is exactly. Even if I searched on Google, it didn’t come up.

What I want to know is whether this was an attack targeting a vulnerability in nextcloud, and how nextcloud’s brute force protection system prevented this attack even though it was not to the login page.

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:

"remoteAddr":"182.172.56.228","user":"--","app":"core","method":"GET","url":"/apps/spreed/","message":"Bruteforce attempt from \"182.172.56.228\" detected for action \"talkRoomToken\".","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.2.1","data":{"app":"core"}
"remoteAddr":"182.172.56.228","user":"--","app":"no app in context","method":"GET","url":"/apps/spreed/","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: talkRoomToken, delay: 200, ip: 182.172.56.228]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.2.1","data":[]

"remoteAddr":"172.59.96.181","user":"--","app":"core","method":"GET","url":"/apps/spreed/","message":"Bruteforce attempt from \"172.59.96.181\" detected for action \"talkRoomToken\".","userAgent":"Mozilla/5.0 (Linux; Android 13; SM-A326U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36","version":"27.0.2.1","data":{"app":"core"}
"remoteAddr":"172.59.96.181","user":"--","app":"no app in context","method":"GET","url":"/apps/spreed/","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: talkRoomToken, delay: 200, ip: 172.59.96.181]","userAgent":"Mozilla/5.0 (Linux; Android 13; SM-A326U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36","version":"27.0.2.1","data":[]

"remoteAddr":"172.59.137.233","user":"--","app":"core","method":"GET","url":"/apps/spreed/","message":"Bruteforce attempt from \"172.59.137.233\" detected for action \"talkRoomToken\".","userAgent":"Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-S911U) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/22.0 Chrome/111.0.5563.116 Mobile Safari/537.36","version":"27.0.2.1","data":{"app":"core"}
"remoteAddr":"172.59.137.233","user":"--","app":"no app in context","method":"GET","url":"/apps/spreed/","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: talkRoomToken, delay: 200, ip: 172.59.137.233]","userAgent":"Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-S911U) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/22.0 Chrome/111.0.5563.116 Mobile Safari/537.36","version":"27.0.2.1","data":[]