Users getting disabled due to invalid login attempts from `passwords` app

mpractic · March 13, 2024, 6:12pm

Nextcloud version: 28.0.3
Operating system and version: Ubuntu 22.04.4 LTS
Apache or nginx version : 2.4.52
PHP version: 8.3

Last week one user reported being disabled. As I’m the only admin, I’ve checked and he was in fact disabled but I didn’t do it. I reactivated the user and a couple days after the same thing happened again. Today the issue become more worrying as two more users got randomly disabled, one of those myself. I got access again via occ user:enable.

Today I was sharing the same IP with the other user that got disabled, and it happened like 15 times in an hour. Our IP was whitelisted on bruteforce protection when this happened.

We both were using floccus and passwords plug-in on Firefox, client for windows and nextcloud app and password app on 2 different iOS devices. Sometimes we get blocked by bruteforce for too many requests, so we have the IP whitelisted. When I was alone on the network I got blocked again.

Is this the first time you’ve seen this error? (Y/N): No

The output the config.php file:

<?php  
  $CONFIG = array (
  'instanceid' => 'XXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXX',
  'secret' => 'XXXXXXXXXX+Zd88wbBohHlePzh67o',
  'trusted_domains' =>
  array (
    0 => 'www.XXXXXXXXXX.cat',
    1 => 'XXXXXXXXXX.cat',
  ),
  'datadirectory' => '/mnt/disk/data',
  'overwrite.cli.url' => 'https://XXXXXXXXXX.cat',
  'dbtype' => 'mysql',
  'version' => '28.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXXXXXXXXX',
  'dbpassword' => 'XXXXXXXXXX',
  'installed' => true,
  'htaccess.RewriteBase' => '/',
  'mail_from_address' => 'XXXXXXXXXX',
  'mail_smtpmode' => 'php',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'XXXXXXXXXX.cat',
  'session_keepalive' => false,
  'session_lifetime' => 3600,
  'remember_login_cookie_lifetime' => 86400,
  'maintenance' => false,
  'updater.release.channel' => 'stable',
  'theme' => '',
  'loglevel' => 0,
  'app.mail.verify-tls-peer' => false,
  'app.mail.imap.timeout' => 60,
  'app.mail.smtp.timeout' => 30,
  'overwriteprotocol' => 'https',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0,
    'password' => 'XXXXXXXXXX',
    'dbindex' => 0,
  ),
  'default_phone_region' => 'ES',
  'mysql.utf8mb4' => true,
  'app_install_overwrite' =>
  array (
    0 => 'impersonate',
    1 => 'forms',
  ),
  'maintenance_window_start' => 1,
);

The security and config check doesn’t give me any error and I’m quite lost on what to do. Any clues?

Thanks.

mpractic · March 13, 2024, 8:04pm

Just to give some more info:
My user has been disabled again when I was using another computer in a different place, with nobody connected to nextcloud from the previous IP. I’ve enabled my user from occ and it got blocked like 3 more times in less than 30min.

Any hint would be really helpful! Thanks in advance.

jtr · March 13, 2024, 11:20pm

This doesn’t sound like Brute force protection.

BPF isn’t applicable unless the source IP addresses in question are generating invalid login requests.
It’s not a rate limit for valid logins/sessions. It also doesn’t disable accounts, but operates on an IP basis only.

If BPF is triggered, and you hit the most serious level, there will be log entries (at the INFO level) that say IP address blocked because it reached the maximum failed attempts in the last 30 minutes. But it won’t touch the user account.

Do you by chance have the password_policy app in-use?

Check Administration settings->Security under the Password Policy heading. That does have the ability to disable users after X invalid login attempts (but it’s not set that way by default).

mpractic · March 14, 2024, 12:21am

I’ve got the password_policy app active, yes. It’s set to 6 failed attempts before blocking the user.

I’ve noticed these warnings appear on the log every 1 minute, so I get just 6 minutes before getting banned. You really helped to figure it out, thanks a lot.

[core] Warning: Login failed: 'me' (Remote IP: '83.43.xx.xx')
	POST /index.php/apps/passwords/api/1.0/password/show
	from 83.43.xx.xx by -- at march 14 2024, 1:12:04

I’ve tried disabling the floccus and passwords plugin on the browser, the Windows and iOS clients, and with only one browser opened this is still happening, so it must be the web passwords app.

Do you know how I could fix it?

jtr · March 14, 2024, 4:29pm

I agree it looks like it’s something that calls the passwords app’s API. I don’t use it so I’m not sure off-hand. There may be a clue in some other nearby Nextcloud log entries that include the User-Agent information.

mpractic · March 14, 2024, 5:09pm

Thanks for keeping an eye on this!

Maybe an entry like this one?

{
  "reqId": "LHib0orwcMEfymomp077",
  "level": 2,
  "time": "2024-03-14T16:45:18+00:00",
  "remoteAddr": "83.43.xx.xx",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "/ocs/v2.php/cloud/user",
  "message": "Login failed: 'me' (Remote IP: '83.43.xx.xx')",
  "userAgent": "Mozilla/5.0 (iOS) Nextcloud-iOS/5.2.1",
  "version": "28.0.3.2",
  "data": {
    "app": "core"
  },
  "id": "65f32c076f2f7"
}

I’ve got a few like this. Today I tried not using the web interface and I’ve only accessed it to check the logs (2-3 minutes, not more to avoid triggering the issue). I’ve used Nextcloud through the phone (passwords and Nextcloud app), the Nextcloud App from Windows and floccus and passwords plugins from Firefox. I haven’t been banned in all day, so it has to be related to the web interface.