[Bug]: Bruteforce protection seems partially broken

[Io-Qo]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

For a few weeks I face a very big problem: I have a few copiers that scan documents as pdfs from the machine directly into my nextcloud via WebDAV. This has been working flawlessly for years now. Suddenly, most of the times (but not always) the scan fails because the machine cannot authenticate and the file cannot be uploaded (however a 0KB file is created anyway). When this problem first occurred I don't think I have made updates near that timeframe, the copier certainly had no configuration changes at all. When I first encountered the problem, I still used Nextcloud 30.* but I then upgraded to the most recent version without the problem going away. So this might be talk app related but I don't know for sure.

Upon investigating this problem I have found:

• nextcloud logs show bruteforce protection kicking in for no apparent reason, mostly for the action "talkRoomToken" (so this might be a Talk issue but I don't know for certain but that's my best guest for now. I posted this here because I'm uncertain and bruteforce protection is part of the server)
• bruteforce protection kicks in for various clients on variant different machines from various different ip addresses (including my admin computer who I know for certain is properly configured) and even for test clients that I specifically set up behind a VPN so I know for certain everything is fine with these clients
• this is not a credentials issue, I have changed and tested new accounts on the copier machines with no success and also the same credentials sometimes work, sometimes don't
• furthermore, the credentials of the failing copier work fine when using them in a different client (i.e. WinSCP) from the same ip address
• other clients do not seem to be affected (though most other clients use a SSO to authenticate)

I'm trying to find the root cause of this issue now for two weeks and cannot make any sense of it other than the bruteforce protection is somehow broken and thus prevents the copiers from authenticating properly (due to the delay). Note again that sometimes the copiers can authenticate and upload files, sometimes they can't.

I cannot make sense of the log files as I can't figure out why the bruteforce protection is being triggered. In any case I would greatly appreciate how to debug this issue further.

Since in my organisation document scanning is a crucial task, this is a big problem. I have worked on workarounds but WebDAV uploads allow me to use flow and auto-tagging which I depend on.

Steps to reproduce

Expected behavior

File uploading working as before. Bruteforce protection isn't triggered for no apparent reason.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***",
            "***",
            "***",
            "***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.4.1",
        "overwrite.cli.url": "***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        },
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "***",
            "***"
        ],
        "twofactor_enforced_excluded_groups": [
            "***",
            "***",
            "***",
            "***"
        ],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "maintenance": false,
        "default_language": "de",
        "default_locale": "de_DE",
        "theme": "",
        "loglevel": 1,
        "default_phone_region": "DE",
        "app_install_overwrite": {
            "1": "flow_notifications",
            "2": "twofactor_admin",
            "3": "webhooks"
        },
        "defaultapp": "dashboard",
        "session_lifetime": 86400,
        "remember_login_cookie_lifetime": 1296000,
        "auto_logout": false,
        "session_keepalive": true,
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\PDF",
            "OC\\Preview\\Image",
            "OC\\Preview\\Photoshop",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\SVG",
            "OC\\Preview\\Font",
            "OC\\Preview\\MP3",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI"
        ],
        "preview_max_memory": 1024,
        "preview_max_x": 1024,
        "preview_max_y": 1024,
        "preview_max_filesize_image": 200,
        "trashbin_retention_obligation": "30,60",
        "onlyoffice": {
            "verify_peer_off": true,
            "jwt_header": "AuthorizationJwt"
        },
        "preview_libreoffice_path": "\/usr\/bin\/libreoffice",
        "htaccess.RewriteBase": "\/",
        "allow_user_to_change_display_name": false,
        "lost_password_link": "disabled",
        "oidc_login_provider_url": "***",
        "oidc_login_client_id": "***",
        "oidc_login_client_secret": "***",
        "oidc_login_auto_redirect": false,
        "oidc_login_end_session_redirect": false,
        "oidc_login_button_text": "***",
        "oidc_login_hide_password_form": false,
        "oidc_login_use_id_token": true,
        "oidc_login_attributes": {
            "id": "preferred_username",
            "name": "name",
            "mail": "email",
            "groups": "groups"
        },
        "oidc_login_default_group": "oidc",
        "oidc_login_use_external_storage": false,
        "oidc_login_scope": "openid profile email groups",
        "oidc_login_proxy_ldap": false,
        "oidc_login_disable_registration": true,
        "oidc_login_redir_fallback": false,
        "oidc_login_alt_login_page": "assets\/login.php",
        "oidc_login_tls_verify": true,
        "oidc_create_groups": false,
        "oidc_login_webdav_enabled": false,
        "oidc_login_password_authentication": false,
        "oidc_login_public_key_caching_time": 86400,
        "oidc_login_min_time_between_jwks_requests": 10,
        "oidc_login_well_known_caching_time": 86400,
        "oidc_login_update_avatar": false,
        "auth.webauthn.enabled": false,
        "updater.release.channel": "stable",
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 4.0.0
  - announcementcenter: 7.1.0
  - app_api: 5.0.2
  - approval: 2.2.0
  - bookmarks: 15.1.0
  - bruteforcesettings: 4.0.0
  - calendar: 5.2.2
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.0.6
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.0
  - federatedfilesharing: 1.21.0
  - files: 2.3.1
  - files_accesscontrol: 2.0.0
  - files_antivirus: 6.0.0
  - files_automatedtagging: 2.0.0
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_retention: 2.0.1
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - flow_notifications: 2.0.0
  - fulltextsearch_elasticsearch: 31.0.0
  - groupfolders: 19.0.4
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - oidc_login: 3.2.2
  - password_policy: 3.0.0
  - passwords: 2025.4.10
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - related_resources: 2.0.0
  - richdocuments: 8.6.4
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.0.3
  - support: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - theming_customcss: 1.18.0
  - twofactor_admin: 4.8.0
  - twofactor_backupcodes: 1.20.0
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - twofactor_webauthn: 2.1.0
  - updatenotification: 1.21.0
  - user_saml: 6.5.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflow_pdf_converter: 2.0.0
  - workflow_script: 2.0.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - circles: 31.0.0 (installed 27.0.1)
  - encryption: 2.19.0
  - federation: 1.21.0 (installed 1.17.0)
  - firstrunwizard: 4.0.0 (installed 2.12.0)
  - fulltextsearch: 31.0.0 (installed 31.0.0)
  - mail: 4.3.6 (installed 4.3.6)
  - photos: 4.0.0-dev.1 (installed 2.0.1)
  - polls: 7.4.2 (installed 7.4.2)
  - recommendations: 4.0.0 (installed 1.6.0)
  - serverinfo: 3.0.0 (installed 1.17.0)
  - survey_client: 3.0.0 (installed 1.15.0)
  - suspicious_login: 9.0.1
  - user_ldap: 1.22.0
  - webhooks: 0.4.3 (installed 0.4.3)
  - welcome: 1.2.1 (installed 1.2.1)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"VdjhHbQyN6vWCia0dhCU","level":1,"time":"2025-04-26T11:43:34+00:00","remoteAddr":"***","user":false,"app":"no app in context","method":"GET","url":"/index.php/apps/spreed/","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: talkRoomToken, delay: 200, ip: ***]","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0","version":"31.0.4.1","data":[],"id":"680ceb9875453"}

{"reqId":"D3YiyAVY5btLkevpQ5Qf","level":1,"time":"2025-04-25T15:47:06+00:00","remoteAddr":"***","user":false,"app":"no app in context","method":"PUT","url":"/remote.php/dav/files/***.pdf","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 400, ip: ***]","userAgent":"UniversalSend_Unicode_WebDAV/1.0","version":"31.0.4.1","data":[],"id":"680ceb988553a"}

Additional info

Example from the apache log:
:443 *** - - [26/Apr/2025:13:13:30 +0200] "PUT /remote.php/dav/files/.pdf HTTP/1.1" 401 4602 "-" "UniversalSend_Unicode_WebDAV/1.0"