I am using user_external to authenticate to an IMAP server (dovecot) which is protected by fail2ban, which inserts temporary firewall rules blocking IPs after a number of unsuccessful authentications.
But if the IP of your Nextcloud installation is blocked on the authenticating server due to one user failing to log in, nobody can log in any more. It's basically a self-inflicted DoS. The same goes for FTP, SMB or any other external authentication server.
So I would suggest to put a notice into the user_external documentation advising users to whitelist the Nextcloud IP if fail2ban or similar tools are being used. This may avoid confusion and save others some time, and I did not find anything related in the docs yet.
I am using user_external to authenticate to an IMAP server (dovecot) which is protected by
fail2ban
, which inserts temporary firewall rules blocking IPs after a number of unsuccessful authentications.But if the IP of your Nextcloud installation is blocked on the authenticating server due to one user failing to log in, nobody can log in any more. It's basically a self-inflicted DoS. The same goes for FTP, SMB or any other external authentication server.
So I would suggest to put a notice into the user_external documentation advising users to whitelist the Nextcloud IP if
fail2ban
or similar tools are being used. This may avoid confusion and save others some time, and I did not find anything related in the docs yet.Thanks :-)