Brute force whitelist is not applied to CardDAV ?

[Liberasys]

Steps to reproduce

Nextcloud server, z-push server.
Some mobile clients connecting to the z-push server.
At NextCloud side :

• brute force protection was enabled.
• IP of z-push server was entered in white list app (/32), and is present in database.
• IP and hostname are in trusted_domains of config.php

Expected behaviour

Not brute force throttling / blocking should append for the z-push server

Actual behaviour

At some moment, every user will get a message on their ActiveSync client that will ask to re-authenticate on z-push server.
In z-push log file you will see something like :

07/11/2018 11:21:07 [ 3472] [ERROR] [damien@liberasys.fr] BackendCardDAV->ChangesSink - Error resyncing vcards: Woops, something's gone wrong! The CardDAV server returned the http status code 0.
07/11/2018 11:21:07 [ 3472] [ERROR] [damien@liberasys.fr] BackendCardDAV->ChangesSink - Error getting the changes

Or (verbose) :

07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] -------- Start
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] cmd='' devType='' devId='' getUser='test3@liberasys.fr' from='92.154.71.102' version='2.4.4+0-0' method='OPTIONS'
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Used timezone 'Europe/Paris'
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Including backend file: '/usr/share/z-push/backend/imap/imap.php'
07/11/2018 11:24:19 [22949] [ INFO] [test3@liberasys.fr] BackendIMAP(): The following authentication methods are disabled: GSSAPI
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Including backend file: '/usr/share/z-push/backend/caldav/caldav.php'
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Including backend file: '/usr/share/z-push/backend/carddav/carddav.php'
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Combined 3 backends loaded.
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Request::ProcessHeaders() ASVersion: 14.1
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] Combined->Logon('test3@liberasys.fr', '',***))
07/11/2018 11:24:19 [22949] [DEBUG] [test3@liberasys.fr] BackendIMAP->Logon(): User 'test3@liberasys.fr' is authenticated on '{mail2.liberasys.com:143/imap/tls/norsh}'
07/11/2018 11:24:49 [22949] [WARN] [test3@liberasys.fr] BackendCalDAV->Logon(): User 'test3@liberasys.fr' is not authenticated on CalDAV 'https://nextcloud.liberasys.com:443/remote.php/dav/calendars/test3@liberasys.fr/'
07/11/2018 11:24:49 [22949] [DEBUG] [test3@liberasys.fr] Combined->Logon() failed on BackendCalDAV
07/11/2018 11:24:49 [22949] [ INFO] [test3@liberasys.fr] AuthenticationRequiredException: Access denied. Username or password incorrect - code: 0 - file: /usr/share/z-push/lib/request/requestprocessor.php:69
07/11/2018 11:24:49 [22949] [ INFO] [test3@liberasys.fr] User-agent: 'motorolaXT1039/7.1.2-EAS-2.0'
07/11/2018 11:24:49 [22949] [FATAL] [test3@liberasys.fr] Exception: (AuthenticationRequiredException) - Access denied. Username or password incorrect
07/11/2018 11:24:49 [22949] [WARN] [test3@liberasys.fr] IP: 92.154.71.102 failed to authenticate user 'test3@liberasys.fr'
07/11/2018 11:24:49 [22949] [DEBUG] [test3@liberasys.fr] TopCollector initialised with IPC provider 'IpcMemcachedProvider' with type '20'
07/11/2018 11:24:49 [22949] [ INFO] [test3@liberasys.fr] cmd='' memory='2.43 MiB/4.00 MiB' time='30.06s' devType='' devId='' getUser='test3@liberasys.fr' from='92.154.71.102' idle='0s' version='2.4.4+0-0' method='OPTIONS' httpcode='401'
07/11/2018 11:24:49 [22949] [DEBUG] [test3@liberasys.fr] -------- End

Remark: IMAP is over dovecot, and credentials are the same as in NextCloud. You see that IMAP auth is OK, but not CalDAV on NextCloud.

But, zpush public ip continues to be inserted in the brute force table.
I have logs about that, but not at the time of this present example (I don't know why nextcloud has not logged it, mayby the IP was throtteled already but I had success before 11h20...) :
./user.log:Nov 7 08:51:51 nextcloud ool www: [owncloud][core][1] Bruteforce attempt from "" detected for action "login".

Anyways, disabling brute force and flushing corresponding table solved the problem for the moment.

Server configuration

Please ask, but it doesn't seems to be relevant here.
Nextcloud v 14.0.3

**Signing status:** No errors have been found.

No errors have been found.

List of activated apps:

Enabled: - accessibility: 1.0.1 - activity: 2.7.0 - admin_audit: 1.4.0 - bruteforcesettings: 1.1.0 - calendar: 1.6.3 - cloud_federation_api: 0.0.1 - comments: 1.4.0 - contacts: 2.1.6 - dav: 1.6.0 - federatedfilesharing: 1.4.0 - federation: 1.4.0 - files: 1.9.0 - files_pdfviewer: 1.3.2 - files_sharing: 1.6.2 - files_texteditor: 2.6.0 - files_trashbin: 1.4.1 - files_versions: 1.7.1 - files_videoplayer: 1.3.0 - firstrunwizard: 2.3.0 - gallery: 18.1.0 - logreader: 2.0.0 - lookup_server_connector: 1.2.0 - mail: 0.11.0 - nextcloud_announcements: 1.3.0 - notifications: 2.2.1 - oauth2: 1.2.1 - ownpad: 0.6.8 - password_policy: 1.4.0 - provisioning_api: 1.4.0 - serverinfo: 1.4.0 - sharebymail: 1.4.0 - socialsharing_email: 1.0.4 - support: 1.0.0 - survey_client: 1.2.0 - systemtags: 1.4.0 - theming: 1.5.0 - twofactor_backupcodes: 1.3.1 - updatenotification: 1.4.1 - user_external: 0.4 - workflowengine: 1.4.0 Disabled: - encryption - files_external - spreed - user_ldap

Nextcloud configuration:

{ "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "nextcloud.liberasys.com", "51.15.154.120", "mail2.liberasys.com" ], "auth.bruteforce.protection.enabled": false, "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/nextcloud.liberasys.com", "htaccess.RewriteBase": "\/", "dbtype": "pgsql", "version": "14.0.3.0", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "memcache.local": "\\OC\\Memcache\\APCu", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "default_language": "fr", "allow_user_to_change_display_name": false, "log_type": "syslog", "syslog_tag": "Nextcloud", "logtimezone": "Europe\/Paris", "appcodechecker": true, "app.mail.accounts.default": { "email": "%USERID%", "imapHost": "mail2.liberasys.com", "imapPort": 143, "imapSslMode": "tls", "smtpHost": "mail2.liberasys.com", "smtpPort": 587, "smtpSslMode": "tls" }, "maintenance": false, "theme": "", "loglevel": 0 } }

Are you using external storage, if yes which one: local/smb/sftp/...
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
no

Client configuration

z-push 2.4.4+0-0
Any iOS, outlook, android (activesync client)

[nextcloud-bot]

GitMate.io thinks possibly related issues are #3971 (Brute Force), #703 (brute force protection - whitelist (proxy server for example)), #437 (brute force protection for Nextcloud APIs), #3338 (Device-specific logins lead to brute force ban), and #478 (Consider brute-force protection on the Server-to-Server Sharing Endpoint).

[Liberasys]

Nextcloud was probably not in cause finally.
The problem has been localised on the firewall between the two servers (point to point public IPs, ICMP redirect, asymetrical routes).
I close the report for the moment.
I will do some new tests for brute force after firewall problem resolution confirmation.

[Liberasys]

I confirm the problem was not in NextCloud but on my network infrastructure.
Sorry for the false issue :-)
BR