Detect and warn about suspicious IPs logging into Nextcloud
Перейти к файлу
skjnldsv 6d0dc3f264 chore: update workflows from templates
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-09-07 15:25:35 +02:00
.github chore: update workflows from templates 2024-09-07 15:25:35 +02:00
.tx [tx-robot] Update transifex configuration 2022-10-01 02:59:47 +00:00
LICENSES ci: Add REUSE compliance check 2024-07-02 09:51:58 +02:00
appinfo feat(deps): Add Nextcloud 31 support on master 2024-08-14 12:42:47 +02:00
doc chore: Add SPDX header 2024-07-02 09:51:02 +02:00
img chore: Add SPDX header 2024-07-02 09:51:02 +02:00
js fix(deps): Fix npm audit 2024-08-05 10:30:45 +02:00
l10n Fix(l10n): Update translations from Transifex 2024-08-31 01:47:18 +00:00
lib fix: inverted logo in notification 2024-08-20 15:07:48 +02:00
screenshots Add screenshots 2019-04-04 10:12:54 +02:00
src chore: Add SPDX header 2024-07-02 09:51:02 +02:00
templates chore: Add SPDX header 2024-07-02 09:51:02 +02:00
tests chore: Add SPDX header 2024-07-02 09:51:02 +02:00
vendor-bin/php-cs-fixer chore: move composer-bin-plugin to prod dependencies 2024-08-06 16:14:20 +02:00
.babelrc.js fix: license header 2024-07-02 09:59:00 +02:00
.gitignore chore: move php-cs-fixer to vendor-bin 2024-08-05 09:29:15 +02:00
.l10nignore chore: Add SPDX header 2024-07-02 09:51:02 +02:00
.nextcloudignore chore: Add SPDX header 2024-07-02 09:51:02 +02:00
.php-cs-fixer.dist.php chore: move php-cs-fixer to vendor-bin 2024-08-05 09:29:15 +02:00
AUTHORS.md chore: Add SPDX header 2024-07-02 09:51:02 +02:00
CHANGELOG.md chore: Add SPDX header 2024-07-02 09:51:02 +02:00
COPYING Fix license 2019-04-02 10:05:13 +02:00
README.md docs: Add REUSE compliance status badge 2024-07-02 09:54:07 +02:00
REUSE.toml chore: Migrate reuse to toml format 2024-09-07 15:22:48 +02:00
composer.json chore: move composer-bin-plugin to prod dependencies 2024-08-06 16:14:20 +02:00
composer.lock chore: move composer-bin-plugin to prod dependencies 2024-08-06 16:14:20 +02:00
krankerl.toml chore: Add SPDX header 2024-07-02 09:51:02 +02:00
package-lock.json feat(deps): Add Nextcloud 31 support on master 2024-08-14 12:42:47 +02:00
package.json feat(deps): Add Nextcloud 31 support on master 2024-08-14 12:42:47 +02:00
renovate.json feat(deps): Add Nextcloud 31 support on master 2024-08-14 12:42:47 +02:00

README.md

🔮 Nextcloud Suspicious Login Detection

REUSE status Downloads Build Status Dependabot Status

Detect and warn about suspicious IPs logging into Nextcloud

The app is still under development, so its time for you to get involved! 👩‍💻

Installation

Nextcloud 25 and newer

The app is shipped and comes with the installation of Nextcloud Server. No additional steps are necessary.

Nextcloud 24 and older

Old versions of this app remain available through the app store. They can be installed through Nextcloud's app management UI.

[!NOTE] Newer versions of the app are not included in the app store since it is now a shipped app.

Releases and CHANGELOGs

As a shipped app:

  • changes are posted within the Nextcloud Server changelog.
  • releases are not posted in this GitHub repository, but they are tagged for code perusal.
  • it is automatically kept up-to-date with each Nextcloud Server release.

How it works

Data collection

Once this app is enabled, it will automatically start tracking (IP, uid) tuples from successful logins on the instance and feed them into the login_address table. This insert operation is executed for the majority of requests (client authenticate on almost all requests) and therefore has to be fast. In a background job, these rows will be transformed into an aggregated format that is suitable for the training of the neural net. The (IP, uid) tuple becomes (IP, uid, first_seen, last_seen, seen) so that we know which (IP, uid) tuple has been seen first and last. The aggregated data is a compressed format of the raw data. The original data gets deleted and thus the database does not need much space for the collected login data.

Neural net

When enough data is collected – which by default is 60 days (!) – a first training run can be started.

The app registers a background job that invokes the training once a day. As long as there isn't sufficient data, no trained model is generated.

Manual training

The training can also be invoked via the OCC command line tool:

php -f occ suspiciouslogin:train

This command uses several sensible default that should work for instances of any size. The --stats flag is useful to see the measured performance of the trained model after the training finishes. The duration of the training run depends on the size of the input training set, but is usually between two to 15 minutes.

The full list of parameters, their description and default values can be seen with

php -f occ suspiciouslogin:train --help

Hyper parameter optimization (optional)

To find the best possible parameters for the training it's possible to start a hyper parameter optimization run via the CLI:

php -f occ suspiciouslogin:optimize

This command uses the heuristic simulated annealing algorithm to find optimal parameter sets in the multidimensional parameter space. By default this will do 100 steps consisting of five training runs per step, hence this command might take a few days to execute on large instances. On smaller ones it will also take a few hours.

Login classification

As soon as the first model is trained, the app will start classifying (IP, uid) tuples on login. In contrast to the data collection it won't consider requests authenticated via an app password as suspicious. Should it detect a password login where the (IP, uid) is classified as suspicious by the trained model, it will add an entry to the suspicious_login table, including the timestamp, request id and URL.

Configuration

By default notifications about suspicious logins contain a link (button) to lookup more info about the noted IP address (geography, ISP). This link can be disabled if it isn't desired:

occ config:app:set --value 0 suspicious_login show_more_info_button

Development setup

  1. ☁ Clone the app into the apps folder of your Nextcloud: git clone https://github.com/nextcloud/suspicious_login.git
  2. 💻 Run npm i or krankerl up to install the dependencies
  3. 🏗 To build the Javascript whenever you make changes, run npm run dev
  4. ☁ Enable the app through the app management of your Nextcloud or run krankerl enable
  5. 👍 Partytime! Help fix some issues and review pull requests