IPv6 error / Consider manual whitelisting to support training

[jalabaya]

I have an IPad in a different location, that location appears to get a new IP quite often. It worked for a week, but now what is happening is that essentially I can not access my Nextcloud even from a regular PC browser from that network.

In the logs I see this:

{"reqId":"2RtixGpQeR86NhcSw4qI","level":3,"time":"2021-11-30T18:30:35+09:00","remoteAddr":"","user":"--","app":"suspicious_login","method":"","url":"--","message":"Caught unknown error during IPv6 background training","userAgent":"--","version":"22.2.3.0","exception":{"Exception":"Error","Message":"Minimum value must be less than or equal to the maximum value","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/suspicious_login/lib/Service/NegativeSampleGenerator.php","line":74,"function":"random_int"},{"file":"/var/www/nextcloud/apps/suspicious_login/lib/Service/NegativeSampleGenerator.php","line":114,"function":"generateFromRealData","class":"OCA\\SuspiciousLogin\\Service\\NegativeSampleGenerator","type":"->"},{"function":"OCA\\SuspiciousLogin\\Service\\{closure}","class":"OCA\\SuspiciousLogin\\Service\\NegativeSampleGenerator","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/suspicious_login/lib/Service/NegativeSampleGenerator.php","line":115,"function":"array_map"},{"file":"/var/www/nextcloud/apps/suspicious_login/lib/Service/DataLoader.php","line":123,"function":"generateShuffledFromPositiveSamples","class":"OCA\\SuspiciousLogin\\Service\\NegativeSampleGenerator","type":"->"},{"file":"/var/www/nextcloud/apps/suspicious_login/lib/Service/TrainService.php","line":72,"function":"generateRandomShuffledData","class":"OCA\\SuspiciousLogin\\Service\\DataLoader","type":"->"},{"file":"/var/www/nextcloud/apps/suspicious_login/lib/BackgroundJob/TrainJobIpV6.php","line":64,"function":"train","class":"OCA\\SuspiciousLogin\\Service\\TrainService","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/Job.php","line":79,"function":"run","class":"OCA\\SuspiciousLogin\\BackgroundJob\\TrainJobIpV6","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":63,"function":"execute","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/nextcloud/cron.php","line":127,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/nextcloud/apps/suspicious_login/lib/Service/NegativeSampleGenerator.php","Line":74,"CustomMessage":"Caught unknown error during IPv6 background training"}}

Which seems to point at an issue.

I think it would be really helpful, if we could support the Suspicious login app in its training. For example, I log in my device and tell the app that that was a good login.

Server configuration detail

Operating system: Linux 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

Webserver: Apache (fpm-fcgi)

Database: pgsql PostgreSQL 12.9 (Ubuntu 12.9-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, 64-bit

PHP version: 7.4.3

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, cgi-fcgi, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mysqli, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, smbclient, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache

Nextcloud version: 22.2.3 - 22.2.3.0

[ChristophWurst]

It must be the code random_int(0, count($uniqueIps) - 1). $uniqueIps is empty, therefore we request a random number from 0 to -1 💥

[joshtrichards]

Fixed in #810
Similar to #745

I have an IPad in a different location, that location appears to get a new IP quite often. It worked for a week, but now what is happening is that essentially I can not access my Nextcloud even from a regular PC browser from that network.

The suspicious_login app doesn't prevent access. It just notifies about suspicious appearing logins. If you were unable to log-in, something else was causing that.

EDIT: Whitelisting is covered in #659