sudo nano /etc/fail2ban/filter.d/nextcloud.conf
[Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
sudo fail2ban-regex /var/nextcloud/data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf -v
Should output:
Running tests
=============
Use failregex filter file : nextcloud, basedir: /etc/fail2ban
Use log file : /var/nextcloud/data/nextcloud.log
Use encoding : UTF-8
Results
=======
Failregex: 25941 total
|- #) [# of hits] regular expression
| 1) [0] ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
| 2) [11] ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
sudo nano /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
ignoreip = 192.168.1.0/24
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 36000
findtime = 36000
logpath = /var/nextcloud/data/nextcloud.log
sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
| |- Currently failed: 13
| |- Total failed: 82
| `- File list: /var/nextcloud/data/nextcloud.log
`- Actions
|- Currently banned: 0
|- Total banned: 5
`- Banned IP list: