Note: I post on Devel list since it seems that my previous post on Users was not the right spot ...
1. The context ************** I use owncloud 7 on my own server. I use OwnCloud sync app on windows and Linux desktops clients. I also have CalDAV/CardDAV access (Davdroid on Android, Lightning+Sogo Connector on Linux/Windows). And I want to manage brute force attacks on these different access types (CardDAV, owncloud sync engine, API). Currently, I use Fail2ban for this need, checking failures in OwnCloud logs. How to :http://www.rojtberg.net/711/secure-owncloud-server/ 2. My question ************** Q : Do*all* differents access types (API, owncloud sync engine, CardDAV etc) provide login failures in the*same* log file using the*same* format ? Disclamer : with my own tests, I am not totally sure to test all cases due to my lack of understanding about OC authentication mechanisms for all types of access : API, CardDAV, sync etc. So if an OC developer may confirm this assertion (or not), it would be very valuable imho 3. Side effect on release management and changelog content ********************************************************** I have already read this about change of the log message format and it seems to have only one type of log. https://github.com/owncloud/core/pull/10442 * Advice for future release management : The 7.0.2 changelog was not very clear about the change despite the mention in this PR. These are the 2 lines mentioning "log" items in the 7.0.2 changelog (http://owncloud.org/changelog/) : . Log failed authentication . Remove confusing 'automatic logon rejected' message Imho, OC release manager should be more clear in the changelog, than this 0.7.2 changelog, for that kind on evolution of log format. For my part, I noticed this change by pure chance in september. I really think there are currently out in the wild a lot of Fail2ban installations that do not filter bruteforce anymore for OC :/ May be an official page in OC documentation giving/maintaining the Fail2ban regex with corresponding OC version ? Thanks you very much for the reading and even more for an answer :) Christophe ***************************************************** "Le contenu de ce courriel et ses eventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire. Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme sauf s'il en est disposé autrement dans le présent courriel." ****************************************************** _______________________________________________ Devel mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/devel
