bruteforcesettings icon indicating copy to clipboard operation
bruteforcesettings copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

IP Whitelist doesn't work

Open ghost opened this issue 4 years ago • 4 comments

I've had issues with my clients asking me to reconnect once in a while, and at first I thought it was a specific client issue, but recently all of my clients seemed to experience the same thing (my desktop clients, mobile clients, and event DAVx), after which I noticed that the oc_bruteforce_attempts table was populated with my IP address. The problem is that I've added my IP addresses to the whitelist, but they still seem to be added to brute force attempts. Why is this happening?

PS: I've added my IP addresses with /32 prefix PSS: I'm running Nextcloud version 18.

ghost avatar Mar 11 '20 19:03 ghost

I've also seen that today on NC 23.0.0. My server has two interfaces, an external "official" IPv4 (/30) and an internal RFC1918 address. My hostnames resolve to the official address. I don't understand how a login attempt may even be recorded from the internal addresses, but there was one since I got an email telling me there was an attempt from 192.168.1.2 – the address of my internal firewall within the DMZ. I comment this here since I have four entries in my bruteforcesettings whitelist:

  • 127.0.0.1/32
  • <official>/30
  • 192.168.0.0/24
  • 192.168.1.0/24

So, apart from the riddle why something tried to login from 192.168.2.1 at all, according to the above whitelist that attempt should not trigger anything.

nursoda avatar Jan 09 '22 20:01 nursoda

https://github.com/nextcloud/suspicious_login/issues/645#issuecomment-1627535357

Bruteforce attempt from "xxx.xxx.xxx.xxx" detected for action "login". - every first web based login attempt fails, 2nd one is successfull.

bcutter avatar Jul 08 '23 22:07 bcutter

I don't understand how a login attempt may even be recorded from the internal addresses, but there was one since I got an email telling me there was an attempt from 192.168.1.2 – the address of my internal firewall within the DMZ.

@nursoda BFP doesn't generate any emails. Are you perhaps thinking of the suspicious_login app?

joshtrichards avatar Feb 19 '24 17:02 joshtrichards

after which I noticed that the oc_bruteforce_attempts table was populated with my IP address. The problem is that I've added my IP addresses to the whitelist, but they still seem to be added to brute force attempts. Why is this happening?

@ghost (yeah I know this goes to no one) Until Nextcloud Server v21, stale entries weren't cleaned up. Perhaps you were seeing stale entries not current ones in the db table?

joshtrichards avatar Feb 19 '24 17:02 joshtrichards