Decrease the $maxDelay variable in /lib/private/Security/Bruteforce/Throttler.php

[wiyh12nf89x]

If you have multiple failed login attempts to the Nextcloud Server, the $firstDelay variable in /lib/private/Security/Bruteforce/Throttler.php file increases up to $maxDelay variable, which is now 30. This intended delay together with the natural server delay makes the overall delay over 30 seconds. But all the apps I tested are designed to wait less then 30 seconds and then return a timeout error.
The logs clearly show, that client gives up (HTTP 499 code on Proxy logs) just a few seconds before the server is ready to answer (HTTP 207 code on Nextcloud Server logs).
Bypassing the Proxy server (direct connection to Nextcloud Server) doesn't solve the issue.
So, my suggestion is to decrease the $maxDelay variable from 30 to 25 seconds. All the apps I tested worked fine with this value.

Steps to reproduce

1. Make a fresh install of a Nexcloud Server

2. Emulate several unsuccessful logins, e. g.: for ((i=0; i<10; i++)); do curl -u "wronguser:wrongpass" -X PROPFIND "https://example.com/remote.php/webdav" >/dev/null 2>&1 & done

3. Try to log in with proper credentials with one of the following apps:

   • An official Nextcloud Client (Linux) (v2.3.3)
   • davfs2 (Linux) (v1.5.2)
   • TotalCMD WebDAV "davplug.wfx64" plugin (Windows) (v2.9)
   • Synchronize Ultimate (Android) (v4.2.56 (30))

Expected behaviour

Successful login and further operation with no timeouts.

Actual behaviour

All of the clients quit with a timeout.

Server configuration

Operating system:
Linux 3.10.0-862.3.2.el7.x86_64 (Docker centos:latest)
Web server:
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 20 2018 18:10:38
Database:
mysqld Ver 5.7.22 for Linux on x86_64 (MySQL Community Server (GPL))
PHP version:
PHP 7.1.18 (cli) (built: May 24 2018 07:59:58) ( NTS )
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.1.18, Copyright (c) 1999-2018, by Zend Technologies
Nextcloud version:
Nextcloud 13.0.4

Updated from an older Nextcloud/ownCloud or fresh install:
Fresh

Where did you install Nextcloud from:
https://github.com/nextcloud/server/archive/v13.0.4.zip

Signing status:

Signing status

http://example.com/index.php/settings/integrity/failed returned:
"No errors have been found."

App list

Enabled:

• admin_notifications: 1.0.1
• audioplayer: 2.3.0
• bruteforcesettings: 1.0.3
• caniupdate: 0.1.2
• checksum: 0.4.0
• comments: 1.3.0
• dashboard: 4.0.6
• dav: 1.4.7
• federatedfilesharing: 1.3.1
• federation: 1.3.0
• files: 1.8.0
• files_sharing: 1.5.0
• files_trashbin: 1.3.0
• files_versions: 1.6.0
• lookup_server_connector: 1.1.0
• metadata: 0.6.0
• oauth2: 1.1.1
• provisioning_api: 1.3.0
• sharebymail: 1.3.0
• systemtags: 1.3.0
• theming: 1.4.5
• twofactor_backupcodes: 1.2.3
• updatenotification: 1.3.0
• workflowengine: 1.3.0
  Disabled:
• admin_audit
• encryption
• files_external
• testing
• user_ldap

Nextcloud configuration:

Config report

{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"example.com",
"1.2.3.4:5678"
],
"logfile": "/var/log/docker/nextcloud.log",
"datadirectory": "REMOVED SENSITIVE VALUE",
"memcache.local": "\OC\Memcache\APCu",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 0,
"password": "REMOVED SENSITIVE VALUE"
},
"tempdirectory": "/data/phptemp",
"filelocking.ttl": 18000,
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://example.com",
"dbtype": "mysql",
"version": "13.0.4.0",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"updater.release.channel": "stable"
}
}

Are you using external storage, if yes which one:
no

Are you using encryption:
no

Are you using an external user-backend, if yes which one:
no

Client configuration

Browser:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Operating system:
Linux Mint 18.3 Cinnamon 64-bit

Logs

Web server error log

TotalCMD WebDAV "davplug.wfx64" plugin

Proxy Server Log

[14/Jun/2018:12:33:39 +0300] time=0.658 realIP=- IP=5.6.7.8 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=401 size=1075 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
[14/Jun/2018:12:34:10 +0300] time=29.914 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=499 size=0 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
[14/Jun/2018:12:34:11 +0300] time=0.385 realIP=- IP=5.6.7.8 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=401 size=1075 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
[14/Jun/2018:12:34:41 +0300] time=29.931 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=499 size=0 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"

Nextcloud Server Log

[14/Jun/2018:12:33:33 +0300] time=25789u realIP=5.6.7.8 IP=172.17.0.1 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=401 size=414 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:33:34 +0300] time=30151510u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=207 size=9285 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:34:05 +0300] time=35286u realIP=5.6.7.8 IP=172.17.0.1 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=401 size=414 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:34:06 +0300] time=30154644u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=207 size=9285 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"

An official Nextcloud Client

Proxy Server Log

[14/Jun/2018:12:51:33 +0300] time=1.837 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1631 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:51:34 +0300] time=0.201 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:02 +0300] time=27.624 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:05 +0300] time=1.443 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:33 +0300] time=27.320 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:39 +0300] time=2.627 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:44 +0300] time=4.732 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"

Nextcloud Server Log

[14/Jun/2018:12:51:27 +0300] time=26409u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:51:28 +0300] time=17776u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:51:58 +0300] time=1309333u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:51:29 +0300] time=30154114u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.0] code=207 size=377 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:52:30 +0300] time=2438521u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:52:03 +0300] time=30154960u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.0] code=207 size=377 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"

Nextcloud log (data/nextcloud.log)

Nextcloud log

06-14 12:51:34:791 1627 OCC::AbstractNetworkJob::start: !!! OCC::PropfindJob created for "https://example.com" + "/" "OCC::ConnectionValidator"
06-14 12:51:35:100 1627 OCC::PassiveUpdateNotifier::versionInfoArrived: Client is on latest version!
06-14 12:52:02:225 1627 OCC::AbstractNetworkJob::slotTimeout: virtual void OCC::AbstractNetworkJob::slotTimeout() OCC::PropfindJob(0x1908ee0) Timeout QUrl("https://example.com/remote.php/webdav/")
06-14 12:52:02:225 1627 OCC::AbstractNetworkJob::slotFinished: void OCC::AbstractNetworkJob::slotFinished() QNetworkReply::NetworkError(OperationCanceledError) "Operation canceled" QVariant(Invalid)
06-14 12:52:02:226 1627 OCC::PropfindJob::finished: PROPFIND request *not* successful, http result code is 0 ""
06-14 12:52:02:226 1627 unknown: QIODevice::read (QNetworkReplyHttpImpl): device not open
06-14 12:52:02:226 1627 OCC::AccountState::slotConnectionValidatorResult: AccountState connection status change: "Credentials Wrong" -> "Timeout"
06-14 12:52:02:226 1627 OCC::AccountState::setState: AccountState state change: "Configuration error" -> "Network error"
06-14 12:52:02:227 1627 OCC::AccountSettings::showConnectionLabel: "No connection to Nextcloud at https://example.com.\nOperation canceled"
06-14 12:52:02:227 1627 OCC::FolderMan::slotAccountStateChanged: Account "user1@example.com" disconnected or paused, terminating or descheduling sync folders
06-14 12:52:03:225 1627 OCC::Account::resetNetworkAccessManager: Resetting QNAM
06-14 12:52:03:225 1627 OCC::ConnectionValidator::checkServerAndAuth: Checking server and authentication
06-14 12:52:03:227 1627 OCC::AbstractNetworkJob::start: !!! OCC::CheckServerJob created for "https://example.com" + "status.php" "OCC::ConnectionValidator"
06-14 12:52:05:999 1627 OCC::CheckServerJob::finished: status.php returns: QMap(("edition", QVariant(QString, ""))("installed", QVariant(bool, true))("maintenance", QVariant(bool, false))("needsDbUpgrade", QVariant(bool, false))("productname", QVariant(QString, "Nextcloud"))("version", QVariant(QString, "13.0.4.0"))("versionstring", QVariant(QString, "13.0.4"))) QNetworkReply::NetworkError(NoError) Reply: QNetworkReplyHttpImpl(0x19064a0)
06-14 12:52:05:999 1627 OCC::ConnectionValidator::slotStatusFound: ** Application: ownCloud found: QUrl("https://example.com/status.php") with version "13.0.4" ( "13.0.4.0" )
06-14 12:52:05:999 1627 OCC::ConnectionValidator::setAndCheckServerVersion: QUrl("https://example.com") has server version "13.0.4.0"

[wiyh12nf89x]

I think that this issue may also relate to:

• server/#6432
• server/#8803
• desktop/#212
• desktop/#189
• desktop/#12
• desktop/#270

[MorrisJobke]

So, my suggestion is to decrease the $maxDelay variable from 30 to 25 seconds. All the apps I tested worked fine with this value.

Makes sense 👍

[MorrisJobke]

@wiyh12nf89x Do you mind to open a pull request with the change?

[MorrisJobke]

cc @rullzer @skjnldsv

[rullzer]

Fine by me. 25 second for the max is still more than enough to make bruteforce effective :D

[MorrisJobke]

There it is: #9875