Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ninja-forms domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the simple-custom-post-order domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-mail-logging domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the health-check domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the updraftplus domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rocket domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114 Security in Nextcloud 12: Bruteforce Protection and Rate Limiting for developers - NextcloudSkip to main content
Security is the biggest strength of Nextcloud and the new release continues our track record of introducing new, innovative technologies to protect Nextcloud servers. In Nextcloud 12, a number of improvements for Bruteforce Protection were made and we introduced Rate Limiting as an option for app developers to make it harder to spam users on Nextcloud servers. This article will explain these new protections and help developers who work on Nextcloud apps to support them in their applications.
New in Nextcloud 12 is Rate Limiting. Rate Limiting can help protect servers from getting overloaded by broken apps and from users downloading too much data too quickly.
Improved: Brute Force Protection for apps
Brute Force Protection is meant to protect Nextcloud servers from attempts to guess user passwords in various ways. Besides the obvious « let’s try a big list of commonly used passwords » attack, it also makes it harder to use slightly more sophisticated attacks via the reset password form or trying to find app password tokens.
If triggered, brute force protection makes requests coming from an IP on a bruteforce protected controller with the same action slower and slower for a 24 hour period. The slow-down is up to 1 minute, slowly ramping up with increasing numbers of retries. One minute might not be much but slowing down retries from hundreds of times per second to 60 per hour effectively negates the danger of most brute force attempts. Triggers to the Brute Force Protection mechanism are stored in the database and result in a log entry so the admin can keep an eye on attempts at break in through brute force attacks.
Bruteforce protection can now be used by controllers of any app in a very easy way by adding an Annotation on a controller. @BruteForceProtection(action=string)
string is the name of the action. Such as login or reset. Brute-force attempts are on a per-action basis; this means if a violation for the login action is triggered, other actions such as reset or foobar are not affected.
The throttle() method has to be called on the response in case of a violation. Doing so will increase the throttle counter and make following requests slower.
Rate Limiting is a new security capability in Nextcloud 12. It allows a developer to specify how often an IP range or a user may send a request in a specific time period. This can be useful for expensive API calls, to prevent users from accessing too much data in a smaller attempt of time or harden bruteforce stuff further.
Rate limiting is currently only enabled if a memory cache is configured because every request is logged, requiring a potentially very large amount of database writes. Fallback to database may be added in the future, however the load on the database would be significant.
Like with Brute Force Protection, Rate Limiting can be enabled by adding Annotations to the controller: @UserRateThrottle(limit=int, period=int) The rate limiting that is applied to logged-in users. If not specified Nextcloud will fallback to AnonUserRateThrottle. @AnonRateThrottle(limit=int, period=int) The rate limiting that is applied to guests.
Rate limiting is only applied to the current controller method. So if the rate limit for one method is reached only the controller method will deliver a 429 status code.
As the above pull request shows, Rate Limiting and Brute Force Protection have been applied in the core Nextcloud code. We call on app developers to follow that example and implement these extra protections in their applications, making it even harder for adversaries to break the security of Nextcloud systems!
“When we have welcoming communities of contributors, open source software gets better and more useful to everyone.” Limor Fried, Electrical Engineer, Inventor and Founder of open-source hardware company Adafruit We believe in this ideal and love to work with our community. We are always looking to involve more people in Nextcloud, bringing in their ideas, […]
When cables are cut, sanctions are put in place or privacy legislation prohibits the use of the service your entire organization depends on, what can you do? Amidst geo-political changes, organizations face dependencies on large, centralized communication platforms. A major example of this is the SaaS-only communication platform Microsoft Teams. It is the only solution […]
In Nextcloud Hub 8, we introduced interactive widgets, a completely new mechanic that lets you share, access and interact with items from various apps in a compact widget format throughout your platform.
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize
Statistics cookies collect information anonymously and help us understand how our visitors use our website. We use cloud-hosted Matomo
Matomo
_pk_ses*: Counts the first visit of the user
_pk_id*: Helps not to double count the visits.
mtm_cookie_consent: Remembers that consent for storing and using cookies was given by the user.
_pk_ses*: 30 minutes
_pk_id*: 28 days
mtm_cookie_consent: 30 days