Nextcloud version: 11.0.3
Operating system and version: Debian 8.7
Apache or nginx version: nginx 1.10.3
PHP version: 5.6.30
The issue you are facing:
I don’t understand the rules for detecting bruteforce attempts. I cleaned my oc_bruteforce_attempts table and just started the Nextcloud app on Android (nothing more). My IP was then logged into this table.
I can’t add a whitelist for all the IPs of my users. I would prefer to keep this feature on, as it seems pretty useful in case of real bruteforce attempts.
It happens when one client tries to authenticate with an invalid password. You likely find the client in question easiest by enabling the admin audit log and set the log level to info.
Thanks! I found the culprit: GNOME Online Accounts (GOA) was still trying to log with my previous ownCloud credentials.
Re-did a new “ownCloud” account in GOA and it works fine now.
That being said, are the entries in oc_bruteforce_attempts deleted after some time? Because I had up to 900 entries in that table and I just have a Nextcloud server since less than a year.