Hi,
I created the fail2ban filter: /config/fail2ban/filter.d/nextcloud.local
[Definition]_groupsre = (?:(?:,?\s*“\w+”:(?:“[^”]+“|\w+)))failregex = ^{%(_groupsre)s,?\s"remoteAddr”:“”%(_groupsre)s,?\s*“message”:“Login failed: ^{%(_groupsre)s,?\s*“remoteAddr”:”“%(_groupsre)s,?\s*“message”:“Trusted domain error.datepattern = ,?\s*“time”\s*:\s*”%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?”
Then added the Nextcloud jail config in /config/fail2ban/jail.local
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /config/log/nextcloud/nextcloud.log
Added the Netxcloud’s log location as a volume within the SWAG compose file.
volumes:
`- /var/lib/docker/volumes/nextcloud_nextcloud/_data/log/nextcloud:/config/log/nextcloud
Proxy header settings is included in the location block of the Nextcloud subdomain setup.
/nginx/proxy-confs/nextcloud.subdomain.conf
location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app nextcloud; set $upstream_port 80; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; proxy_max_temp_file_size 2048m; }
Fail2ban successfully reads the Nextcloud log and rejects further connections after 3 failed attempts.
Problem being, the IP being banned is that of the SWAG container - “172.20.0.5” and not the “remoteAddr IP” as expected.
I’m going stir crazy try to make sense of this. Any advise regardless, will be greatly appreciated.