[Bug]: Bruteforce Logins blocks everything, ignores whitelist, and still operates despite being disabled

webartifex commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Hi there,

the title describes it all.

I have had this bug in the past every once in a while and restarting the Ubuntu server with NC on solved it.

But as of today, v27.0.2, I cannot login into the web GUI any more. All other clients luckily continue to work.

What should I do? How can I help the maintainers to help me?

Thanks, Alex

Steps to reproduce

n/a

Expected behavior

I expect the shipped apps to be truly disabled when disabled in the apps menu.

Installation method

None

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "version": "27.0.2.1",
        "installed": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "getraenkemarkt.cloud"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/getraenkemarkt.cloud",
        "overwritehost": "getraenkemarkt.cloud",
        "overwriteprotocol": "https",
        "htaccess.RewriteBase": "\/",
        "dbtype": "pgsql",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "5432",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "filelocking.enabled": true,
        "maintenance": false,
        "maintenance_window_start": 2,
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\PNG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\AVI",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP3",
            "OC\\Preview\\MP4",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\PDF",
            "OC\\Preview\\TXT"
        ],
        "preview_max_memory": 4096,
        "preview_max_filesize_image": 256,
        "preview_max_x": 2560,
        "preview_max_y": 1440,
        "jpeg_quality": 80,
        "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/exiftool-bin\/exiftool-amd64-glibc",
        "memories.ffmpeg_path": "\/usr\/bin\/ffmpeg",
        "memories.ffprobe_path": "\/usr\/bin\/ffprobe",
        "memories.transcoder": "\/var\/www\/nextcloud\/apps\/memories\/exiftool-bin\/go-vod-amd64",
        "memories.no_transcode": false,
        "memories.qsv": false,
        "allow_local_remote_servers": true,
        "allow_user_to_change_display_name": false,
        "defaultapp": "side_menu",
        "default_language": "en",
        "default_locale": "en_IE",
        "default_phone_region": "DE",
        "logtimezone": "Europe\/Berlin",
        "knowledgebaseenabled": false,
        "trashbin_retention_obligation": "auto, 31",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [
            "users"
        ],
        "debug": false,
        "theme": "",
        "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/exiftool-bin\/go-vod-amd64",
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "loglevel": 0,
        "app_install_overwrite": [
            "facerecognition",
            "logreader",
            "news"
        ]
    }
}

List of activated Apps

Enabled:
  - calendar: 4.4.4
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - cloud_py_api: 0.1.8
  - contacts: 5.3.2
  - dashboard: 7.7.0
  - dav: 1.27.0
  - external: 5.2.0
  - facerecognition: 0.9.20
  - federatedfilesharing: 1.17.0
  - files: 1.22.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - gpoddersync: 3.8.1
  - impersonate: 1.14.0
  - integration_github: 2.0.6
  - integration_gitlab: 1.0.18
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.2.6
  - mediadc: 0.3.6
  - memories: 5.4.1
  - news: 23.0.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - previewgenerator: 5.3.0
  - provisioning_api: 1.17.0
  - recognize: 4.3.2
  - richdocuments: 8.1.1
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - side_menu: 3.10.3
  - spreed: 17.0.3
  - tasks: 0.15.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - unroundedcorners: 1.0.9
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - activity: 2.19.0 (installed 2.17.0)
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0 (installed 2.7.0)
  - comments: 1.17.0 (installed 1.15.0)
  - contactsinteraction: 1.8.0 (installed 1.6.0)
  - encryption: 2.15.0
  - federation: 1.17.0 (installed 1.15.0)
  - firstrunwizard: 2.16.0 (installed 2.14.0)
  - nextcloud_announcements: 1.16.0 (installed 1.14.0)
  - privacy: 1.11.0 (installed 1.9.0)
  - recommendations: 1.6.0 (installed 1.4.0)
  - related_resources: 1.2.0 (installed 1.0.4)
  - support: 1.10.0 (installed 1.8.0)
  - survey_client: 1.15.0 (installed 1.13.0)
  - suspicious_login: 5.0.0 (installed 5.0.0)
  - systemtags: 1.17.0 (installed 1.15.0)
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

"Info   core    Bruteforce attempt from "192.168.190.81" detected for action "login"."

So, bruteforce is clearly working despite being disabled.

I whitelisted 192.168.0.0/16

Additional info

No response

joshtrichards commented 1 year ago

Hi @webartifex - You don't have bruteforce disabled. You just have the extended settings manager for it disabled. If you truly want to disable it this is the parameter you want:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#auth-bruteforce-protection-enabled

That said, brute force protection just throttles (slows down); it doesn't block:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html

If you're getting outright blocked from logging in from your current client's IP address that would be something elsewhere. When you say you can't log into the web UI... are you still able to access the login page or blocked outright from even seeing that? Do you have fail2ban configured by chance?

webartifex commented 1 year ago

That is good to know. Thanks for your help.

I have fail2ban active but I whitelisted 192.168.0.0/16 so that should not cause blocking.

I do see the web UI login page. The first time around, I actually get to dashboard, and then it says something like "token not valid" and logs me out.

So, probably the error is somewhere else.

The interesting thing is that it seems solved after a restart of the VM hosting nextcloud.

joshtrichards commented 1 year ago

I do see the web UI login page. The first time around, I actually get to dashboard, and then it says something like "token not valid" and logs me out.

And then what? You can't get past the login page ever again until the server gets rebooted?

What happens in a different browser?

The interesting thing is that it seems solved after a restart of the VM hosting nextcloud.

The restart might be clearing server-side session data.🤔

nextcloud-command commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

nextcloud / server