Whitelist Dynamic IP

ℹ️ Support
1

Hi,

Is it possible to whitelist dynamic IP with a service like NoIP or Dyndns?

thank you

2

Hi,

Could you please explain, what you would like to achieve and what whitelist (a whitelist for what exactly) you mean?

3

Hi,

When a user wants to connect from my home ip (public one) he gets often the message that login is throttled.

4

I see, so the brute force detection kicks in and slows down login processes. This is actually a nice and security-wise important feature. I wouldn’t weaken it by defining bigger whitelist ranges - which would definitely necessary.

I would rather ask the user to check their clients to use the correct login credentials (so that the brute force detection is not triggered again) and then clean the database table from the detected IP addresses.
You can check the found IP addresses by this MySql query:

select date_format(from_unixtime(ocb.occurred),'%e %b %Y %H:%i:%s') as OCCURRENCE, ocb.* from oc_bruteforce_attempts ocb;

You can then either delete specific IP addresses:
DELETE FROM oc_bruteforce_attempts WHERE ip = '37.252.14.21';
or clean the whole table:
DELETE FROM oc_bruteforce_attempts;

If you definitely want to walk the whilelist path - which I don’t suggest to do - you can login as admin, go to “Settings -> Security”, scroll down to " Brute-force IP whitelist" and enter the network you want to whitelist.
To find out the network you need to whitelist, you can search on the Internet for the IP ranges of the Internet Service provider your user is using.
When you found the IP range (network) or you have to guess, you can enter the network in the admin section; like:
37.252.0.0/16 or
37.252.16.0/20

5

Thank you for your response,

I was thinking to whitelist only my public IP and not the whole network. buyt I guess its not possible with an dynamic.

So I will ask my users to get the login from the first time xd

6

Well the whitelisting should not be for your IP address but for the IP addresses of your clients :wink:

A short explanation:

  • your server has the IP 90.90.90.90 for example
  • client A has IP 10.10.10.10
  • client B has IP 20.20.20.20

Now client A trys to login and enters the wrong password for about 5 times within 30 seconds and therefor the IP address 10.10.10.10 is written to the DB table oc_bruteforce_attempts. So with the 5th login attempt he receives an error message stating that throttling is enabled for him, meaning that he has to wait several seconds before he can enter his login credentials again (default 30s I believe). In case he still has the same IP address 10.10.10.10 the next day, when he connects to your server he again has to wait 30s before he can even enter his login credentials for the very first time that day.
For client B on the other everything is still fine, he can instantly enter his credentials when visiting your server.
As soon as you remove the IP 10.10.10.10 from the DB or add it to the whitelist, the throttling will stop for client A. However, as soon as he restarts his router, his IP will change and in case he enters the wrong credentials too often again, the brute force detection will add the new (not whitelisted) IP to the DB table as well and activate throttling for him again. Therefore the hole network would have to be whitelisted - which is kind of a security flaw.

So he better fixes his sync clients (files, calendar, contacts) to use the correct credentials, you remove his IP from the DB table and everything should be fine again :slight_smile:

7

Thank you for the explanation,

I mean by mine Ip, the public IP from my home. The server is on a different network and has his own public IP.

but it’s indeed one user or more that gives wrong credentials and the whole network is going to be throttled.

1 Like
8

My NextCloud server is within the local network in my home and is not accessible directly from the Internet.

I also have an Apache web server and use it as a reverse proxy to the NextCloud server.

I registered with deSEC for a free account and got a Let’s Encrypt certificate for my site using their instructions.

I alse have the web server to redirect all HTTP traffic (port 80) to the HTTPS port (443).

Finally I white-listed my public address in NextCloud.

9

My solution: I set my nextcloud on his own network, isolated from my home network. No problems anymore.