Nextcloud 13 - since upgrade from NC12, there are a lot of "Trusted domain errors"

[Githopp192]

Steps to reproduce

1. Nextcloud Log > Trusted Domain Errors
   permanent logging

Expected behaviour

this is more a question; is the current behave of NC13, logging bot-events as trusted domain errors

Actual behaviour

After upgrading from NC 12.0.6 to NC 13.0.2 i recognized, that there are a lot of "Trusted domain errors" into the nextcloud.log

In NC version 12.0.6. many HTTP-Scan/Attacks were reported as HPTT/PHP error into the log with the full details about the origin HTTP-Request .. like -->

xxxxxx- - [20/May/2018:22:51:28 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 400 4066 "-" "ZmEu"
xxxxx- - [20/May/2018:22:51:28 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"
xxxxx- - [20/May/2018:22:51:28 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"
xxxxx- - [20/May/2018:22:51:28 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"
xxxx- - [20/May/2018:22:51:28 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"
xxxxxx- - [20/May/2018:22:51:29 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 400 4066 "-" "ZmEu"

Now all those attacks will reported as "Trusted domain errors" into the nextcloud.log

Not a bad idea/behave i think .. because it's easier to track all those things into one log and being better prepapred for any attack prevention technique.

The question is more .. is the new behave of NC13 as "to be designed" ?

Server configuration detail

Operating system: Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64

Webserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.16 (apache2handler)

Database: mysql 5.5.56

PHP version: 7.1.16
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, apcu, bcmath, bz2, calendar, ctype, curl, dba, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, redis, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, wddx, xmlreader, xmlwriter, xsl, memcached, zip, Zend OPcache

Nextcloud version: 13.0.2 - 13.0.2.1

Updated from an older Nextcloud/ownCloud or fresh install:

Updatd from NC 12.0.6

Where did you install Nextcloud from: nextcloud.com

Enabled:

• activity: 2.6.1
• admin_notifications: 1.0.1
• announcementcenter: 3.2.1
• apporder: 0.4.1
• bookmarks: 0.11.0
• bruteforcesettings: 1.0.3
• calendar: 1.6.1
• circles: 0.13.6
• comments: 1.3.0
• contacts: 2.1.3
• dav: 1.4.6
• deck: 0.3.1
• federatedfilesharing: 1.3.1
• federation: 1.3.0
• files: 1.8.0
• files_antivirus: 1.2.0
• files_external: 1.4.1
• files_pdfviewer: 1.2.1
• files_rightclick: 0.8.4
• files_sharing: 1.5.0
• files_texteditor: 2.5.1
• files_trashbin: 1.3.0
• files_versions: 1.6.0
• files_videoplayer: 1.2.0
• firstrunwizard: 2.2.1
• gallery: 18.0.0
• impersonate: 1.0.4
• issuetemplate: 0.3.0
• logreader: 2.0.0
• lookup_server_connector: 1.1.0
• mindmaps: 0.1.0
• mood: 0.3.3
• music: 0.6.1
• nextcloud_announcements: 1.2.0
• notes: 2.3.2
• notifications: 2.1.2
• oauth2: 1.1.0
• ownbackup: 17.5.0
• passman: 2.1.4
• password_policy: 1.3.0
• polls: 0.8.1
• provisioning_api: 1.3.0
• quicknotes: 0.1.3
• quota_warning: 1.2.0
• radio: 0.6.1
• rainloop: 5.1.0
• ransomware_protection: 1.1.0
• serverinfo: 1.3.0
• sharebymail: 1.3.0
• sharepoint: 1.1.0
• socialsharing_diaspora: 1.0.2
• socialsharing_email: 1.0.3
• socialsharing_facebook: 1.0.2
• socialsharing_googleplus: 1.0.2
• socialsharing_twitter: 1.0.2
• spreed: 3.2.1
• survey_client: 1.1.0
• systemtags: 1.3.0
• tasks: 0.9.6
• theming: 1.4.1
• twofactor_backupcodes: 1.2.3
• twofactor_totp: 1.4.1
• updatenotification: 1.3.0
• workflowengine: 1.3.0
  Disabled:
• admin_audit
• appvncsafe
• audioplayer
• encryption
• external
• lsd
• ojsxc
• phonetrack
• richdocuments
• spreedme
• user_external
• user_ldap
• weather

{
"memcache.local": "\OC\Memcache\APCu",
"filelocking.enabled": true,
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 0,
"dbindex": 0,
"timeout": 1.5
},
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"xxxx",
"xxxx"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://xxxxxxx",
"htaccess.RewriteBase": "/",
"overwriteprotocol": "https",
"dbtype": "mysql",
"version": "13.0.2.1",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"maintenance": false,
"theme": "",
"loglevel": 1,
"updater.release.channel": "production",
"auth.bruteforce.protection.enabled": true,
"check_for_working_htaccess": true,
"data-fingerprint": "xxxxxx",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "xxx",
"mail_smtpauth": 1,
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "xxxx",
"session_lifetime": xxxx,
"session_keepalive": false,
"logtimezone": "xxxxx",
"logfile": "/media/log/nextcloud.log",
"knowledgebaseenabled": false
}

</details>

**Are you using external storage, if yes which one:** local/smb/sftp/...

no

**Are you using encryption:** no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

no

## Client configuration

**Browser:** Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/52.15.25.665 Chrome/52.0.2743.82 Safari/537.36

**Operating system:** 

Windows 10

[MorrisJobke]

The question is more .. is the new behave of NC13 as "to be designed" ?

That always worked like that. The behavior is designed like that and we don't plan to change it. So I will close this as a "works as expected". The reason for more logs is maybe due to that a scanning service somehow found your instance/IP and thus scans it more often than before.

[Githopp192]

Hey Morris .. i'm very glad yo don't want to change this .. 👍 :-)

I can work perfectly with this (run together with IDS/IPS System) ..

The questions related were more .. in NC 12 i did see also the HTTP/PHP error (Attacks) in the NC-log ..
Now i do not .. (Log-Level on 1 = Info) .. so, may be there is something new, that those messages will not be reported anymore into the NC-Log !? .. (or has this to do maybe something with my settings ? -> config.php .. )?

[MorrisJobke]

The questions related were more .. in NC 12 i did see also the HTTP/PHP error (Attacks) in the NC-log ..
Now i do not .. (Log-Level on 1 = Info) .. so, may be there is something new, that those messages will not be reported anymore into the NC-Log !? .. (or has this to do maybe something with my settings ? -> config.php .. )?

Ah - it could be that we changed the level, because it usually is a client error and an admin can do very little against this and thus it's better to not spam the log.

[Githopp192]

yes .. i think you did change this level of http-messages 👍, i do agree .. good decision not to spam the log with http-errors, better writing "Trusted Domain Error" and the admin could decide for himself to check the http_access.log for futhter information. I did decide to do something against .. this log now is the perfect prereq. for fail2ban. Next stept would be ..going to install some IDS/IPS (pfsense..) appliances.
I don't want, that those ip-packets will reach the web server; of course i'm using https .. & http redirection to https .. but you never know :-)

Thx Morris .. your answer helped me better to understand, what is going on.