FlagThis

Nextcloud users are reporting significant issues with the platform's brute-force protection mechanism, which is designed to safeguard against unauthorized access attempts. Users have been locked out of their servers due to what they believe are false positives. These lockouts occur when the system incorrectly identifies legitimate login attempts or other normal activity as brute-force attacks, causing frustration and disruption for users. The current settings lack the granularity needed to fine-tune the system to prevent these issues, forcing some to completely disable the protection feature, leaving their systems potentially vulnerable.

Some users have cited cases where devices on a home network, sharing an external IP address, are locked out even when using correct credentials. This highlights a need for the system to better understand normal traffic patterns and distinguish between genuine threats and ordinary usage, particularly in shared IP environments. There are calls to improve the configurability of the brute-force handling, to allow for more control over thresholds and behavior. This will help to minimize lockouts, offer more granular user control and ultimately ensure that the brute-force detection mechanism does not impede on legitimate users of the Nextcloud platform.

ImgSrc: help.nextcloud.com

References:

• github.com - Github issue related to brute force settings - 2d
• Nextcloud community - Latest posts - User reports problems with Nextclouds's current brute-force handling. - 2d

Classification:

• HashTags: Nextcloud BruteForce Security
• Company: Nextcloud
• Target: Nextcloud Users
• Product: Nextcloud
• Feature: Brute-Force Protection
• Type: Bug
• Severity: Medium