Nextcloud-Archive/bruteforcesettings
1
0
Fork 0
mirror of https://github.com/nextcloud/bruteforcesettings.git synced 2025-10-26 12:04:27 +01:00
Code Issues Projects Releases Packages Wiki Activity
No description
1,393 commits 28 branches 337 tags 99 MiB
Find a file
Exact
github-actions[bot] 8d9ee5eb57
 Merge pull request #849 from nextcloud/automated/noid/master-update-nextcloud-ocp 
[master] Update nextcloud/ocp dependency
2025-10-26 03:10:45 +00:00
.github ci(Actions): Update GitHub actions 2025-10-22 17:44:47 +02:00
.tx [tx-robot] Update transifex configuration 2022-10-01 02:20:32 +00:00
appinfo fix(API): Improve config handling 2025-10-22 16:50:27 +02:00
js chore(assets): Recompile assets 2025-10-24 09:02:39 +00:00
l10n fix(l10n): Update translations from Transifex 2025-10-26 00:21:58 +00:00
lib fix(api): Load comment from lazy config section 2025-10-24 10:00:21 +02:00
LICENSES fix(deps): Fix npm audit 2025-02-21 10:33:44 +01:00
screenshots fix(App): translatable labels 2024-02-12 10:31:06 +01:00
src fix(App): extend placeholder text for more clarity 2025-10-24 10:59:34 +02:00
templates Add SPDX header 2024-04-23 13:49:13 +02:00
tests fix: adjust test 2025-10-24 09:28:57 +02:00
vendor-bin ci: Lock specific versions 2025-10-23 09:00:22 +02:00
.gitignore fix(phpunit): ignore phpunit cache 2025-10-23 09:34:40 +02:00
.l10nignore Don't ignore js/ and ignore it for translations 2022-09-22 10:30:08 +02:00
.nextcloudignore More krankerl excludes 2021-04-10 14:37:29 +01:00
.php-cs-fixer.dist.php ci: Fix cs config path 2025-10-23 09:01:24 +02:00
babel.config.js fix: update eslint 2025-07-17 15:07:55 +02:00
CHANGELOG.md Add SPDX header 2024-04-23 13:49:13 +02:00
composer.json ci(phpunit): Setup and fix PHPUnit 2025-10-22 17:44:47 +02:00
composer.lock chore(dev-deps): Bump nextcloud/ocp package 2025-10-26 02:44:29 +00:00
eslint.config.mjs chore(eslint): remove bypass for tests 2025-09-12 09:10:44 +02:00
krankerl.toml Use components and update krankerl 2022-04-14 09:51:10 +02:00
LICENSE Initial commit of the app 2017-04-02 21:24:47 +02:00
package-lock.json Chore(deps-dev): Bump jsdom from 27.0.0 to 27.0.1 2025-10-25 01:05:13 +00:00
package.json Chore(deps-dev): Bump jsdom from 27.0.0 to 27.0.1 2025-10-25 01:05:13 +00:00
psalm.xml ci(psalm): Add psalm CI 2025-10-22 17:44:46 +02:00
README.md chore: add reuse compliance badge 2024-04-26 19:15:40 +02:00
REUSE.toml fix(reuse): Add license for composer files 2025-10-23 09:02:07 +02:00
stylelint.config.js fix: update eslint 2025-07-17 15:07:55 +02:00
vitest.config.js chore(deps): add vitest config 2025-09-12 09:10:44 +02:00
webpack.js fix: update eslint 2025-07-17 15:07:55 +02:00

README.md

💪 Nextcloud Brute Force Settings

REUSE status

This app makes it possible (via the Web UI) to view the status of a connection and modify certain parameters of the brute force protection built into Nextcloud Server.

Screenshot of configuration

Currently an admin can view the status of the IP address they are connecting from as well as specify IPv4 or IPv6 addresses and ranges to exempt from brute force protection.

Additional enhancements may be made in the future, within this app and/or in combination with Nextcloud Server for additional monitoring or behavior adjustments related to brute force protection.

Tip

Most nuisance triggering of brute force protection can be resolved through proper configuration of reverse proxies. In other cases, select IP addresses that need to be whitelisted can be configured within this app (while leaving brute force protection enabled). This can be useful for testing purposes or when there are a lot of people (or devices) connecting from a known, single IP address.

Important

Disabling this app merely removes your ability to adjust brute force related settings - it does not disable brute force protection in Nextcloud Server itself. If that is your goal, you must set a special value in your Nextcloud config.php to disable brute force protection.

Background

Brute force protection is meant to protect Nextcloud servers from attempts to guess passwords and tokens in various ways. Besides the obvious "let's try a big list of commonly used passwords" attack, it also makes it harder to use slightly more sophisticated attacks via the reset password form or trying to find app password tokens.

If triggered, brute force protection makes requests - coming from an IP on a brute force protected controller - slower for up to a 24 hour period

Installation

Nextcloud 25 and newer

The app is shipped and comes with the installation of Nextcloud Server. No additional steps are necessary to install.

Nextcloud 24 and older

Old versions of this remain available through the app store. They can be installed through Nextcloud's app management UI.

Note

Newer versions of the app are not included in the app store since it is now a shipped app.

Releases and CHANGELOGs

As a shipped app:

  • changes are posted within the Nextcloud Server changelog.
  • releases are not posted in this GitHub repository, but they are tagged for code perusal.
  • it is automatically kept up-to-date with each Nextcloud Server release.

Usage

  • The user interface added by this app is found under Administration settings -> Security under the Brute-force IP whitelist heading.

How it works

This application merely manages some of the settings associated with brute force protection. To understand how that protection works, review the How it works section of Brute Porce Protection chapter in the Administration Manual.

Documentation

Related

Help & Contributing

Keep in mind that the brute force protection implementation is primarily within Nextcloud Server itself so for some details it may be more appropriate to look there.