@@ -215,7 +215,8 @@ security headers are shipped.
215215Connections to remote servers
216216-----------------------------
217217
218- Some Nextcloud functionality requires connecting to remote servers. Depending on your server setup those are possible connections:
218+ Some Nextcloud functionality requires connecting to remote servers. Depending on
219+ your server setup those are possible connections:
219220
220221- www.nextcloud.com, www.startpage.com, www.eff.org, www.edri.org for checking the internet connection
221222- apps.nextcloud.com for the available apps
@@ -224,3 +225,65 @@ Some Nextcloud functionality requires connecting to remote servers. Depending on
224225- push-notifications.nextcloud.com for sending push notifications to mobile clients
225226- surveyserver.nextcloud.com if the admin has agreed to share anonymized data
226227- Any remote Nextcloud server that is connected with federated sharing
228+
229+ Setup fail2ban
230+ --------------
231+
232+ Exposing your server to the internet will inevitably lead to the exposure of the
233+ services running on the internet-exposed ports to brute force login attempts.
234+
235+ Fail2ban is a service that uses iptables to automatically drop connections for a
236+ pre-defined amount of time from IPs that continuously failed to authenticate to
237+ the configured services.
238+
239+ In order to setup fail2ban, you first need to download and install it on your
240+ server. Downloads for several distributions can be found on `fail2ban download
241+ page `_. It is often available from most distributions' package managers (e.g.
242+ ``apt-get ``).
243+
244+ The standard path for fail2ban's configuration is ``/etc/fail2ban ``.
245+
246+ Setup a filter and a jail for Nextcloud
247+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
248+
249+ A filter defines regex rules to identify when users fail to authenticate on
250+ Nextcloud's user interface, WebDAV, or use an untrusted domain to access the
251+ server.
252+
253+ Create a file in ``/etc/fail2ban/filter.d `` named ``nextcloud.conf `` with the
254+ following contents::
255+
256+ [Definition]
257+ _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
258+ failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
259+ ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
260+ datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
261+
262+ The jail file defines how to handle the failed authentication attempts found by
263+ the Nextcloud filter.
264+
265+ Create a file in ``/etc/fail2ban/jail.d `` named ``nextcloud.local `` with the
266+ following contents::
267+
268+ [nextcloud]
269+ backend = auto
270+ enabled = true
271+ port = 80,443
272+ protocol = tcp
273+ filter = nextcloud
274+ maxretry = 3
275+ bantime = 86400
276+ findtime = 43200
277+ logpath = /path/to/data/directory/nextcloud.log
278+
279+ Ensure to replace ``logpath `` with your installation's ``nextcloud.log ``
280+ location. If you are using ports other than ``80 `` and ``443 `` for your
281+ Web server you should replace those too. The ``bantime `` and ``findtime `` are
282+ defined in seconds.
283+
284+ Restart the fail2ban service. You can check the status of your Nextcloud jail by
285+ running::
286+
287+ fail2ban-client status nextcloud
288+
289+ .. _fail2ban download page : https://www.fail2ban.org/wiki/index.php/Downloads
0 commit comments