Hello,
I have Nexctloud AIO set up with Nginx Proxy Manager and fail2ban. Big thanks to chente and BernH for the awesome guides (Nextcloud AIO and NPM with fail2ban). I did everything according to the guides. The setup was quite easy and it's running very nicely.
If I understand BernH 's instructions and the regex file correctly, his guide sets a fail2ban filter, that scans for all HTTP status codes from the 3xx and 4xx range in the npm log files.
Before I get to my actual problem, I have one question: Why is it necessary to include the 3xx codes?
One example: Apparently the (preinstalled) Nextcloud richdocuments-app checks for custom fonts every few minutes or so - and most of the time receives a 304 code ( [12/Mar/2024:23:48:52 +0100] - 304 304 - GET https mynextcloud.xxx "/apps/richdocuments/settings/fonts.json" [Client 123.456.789.0] [Length 0] [Gzip -] [Sent-to 192.168.178.15] "COOLWSD HTTP Agent 23.05.9.2" "-") -> in the last 24 hours alone there are more than 300 events like that in the npm log - all registering my IP with fail2ban.
Aren't 3xx HTTP codes just redirections and not errors? (I'm a complete noob, so this is a genuine question. )
Anyway: Since everything went so smoothely, I started to use nextcloud and imported all my contacts to the contacts app.
That's when the problems started: I got banned by fail2ban every few minutes. It took me some time and research, but I think I found the problem:
Apparently there's an open bug, that the contacts app requests profile photos for every contact each time the app is used. And it gets a 404 code for every contact that has no photo set. This gets me banned instantly, when opening contacts in nextcloud. I also get banned without using the web interface, because apparently contact syncing (as I use it with the Gnome desktop and iOS) also generates 404 errors, just not as many as the web interface.
For crowdsec there's a whitelist for this problem and for a similar bug of the file browser.
I would like to stay with nextcloud-aio, since I very much like the approach. Is there any option to make my configuration work with fail2ban?
There's regex recommendations in the official documentation and there is a nextcloud-aio fail2ban community container. This would apparently solve the problem for now. (I guess.) But I still want to use fail2ban with npm, because I plan on setting up other containers that might need to be published to the internet...
Would crowdsec be an easier option? Does it work with my configuration?
Any helpful advice is much appreciated!