docs(admin): explain bruteforcesettings vs fail2ban relationship

skjnldsv · skjnldsv · commit 192fc109a247 · 2026-05-19T12:39:55.000+02:00
Admins frequently ask whether to use Nextcloud's built-in brute force protection or fail2ban, and whether both are needed. Added a new section to bruteforce_configuration.rst that explains the layer each operates on (application vs OS/network) and why they are complementary rather than mutually exclusive. Also added a missing RST reference label to the fail2ban section in harden_server.rst so it can be cross-referenced. Fixes #11425 Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
diff --git a/admin_manual/configuration_server/bruteforce_configuration.rst b/admin_manual/configuration_server/bruteforce_configuration.rst
@@ -164,3 +164,30 @@ It's possible to exclude IP addresses from the brute force protection.
 
    Any excluded IP address can perform authentication attempts without any throttling.
    It's best to exclude as few IP addresses as you can, or even none at all.
+
+Brute force protection vs fail2ban
+-----------------------------------
+
+Nextcloud's built-in brute force protection and fail2ban are complementary tools that
+operate at different layers of the stack. Using both together is recommended for
+production servers.
+
+**Nextcloud brute force protection** (the ``bruteforcesettings`` app) works at the
+**application layer**. It detects suspicious login patterns and adds progressively
+longer delays to requests from the offending IP address. It has full context about
+Nextcloud-specific endpoints and credentials, and it activates automatically without
+any operating system configuration.
+
+**fail2ban** works at the **OS/network layer**. It watches log files for failed login
+entries and instructs the system firewall (e.g. ``iptables`` or ``nftables``) to
+block the offending IP outright. Blocked requests are dropped before they reach the
+web server, PHP, or the database, saving server resources entirely.
+
+The two approaches are not mutually exclusive:
+
+- Nextcloud brute force protection handles application-level throttling transparently,
+  including for API clients and mobile apps, with no system configuration required.
+- fail2ban reduces server load by blocking repeat offenders at the network level
+  before their requests consume any application resources.
+
+For setup instructions for fail2ban with Nextcloud, see :ref:`setup_fail2ban`.
diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst
@@ -306,6 +306,8 @@ Depending on your server setup, these are the possible connections:
 .. _detailed field list: https://github.com/nextcloud/survey_client
 
 
+.. _setup_fail2ban:
+
 Setup fail2ban
 --------------
 
