@@ -91,8 +91,11 @@ addresses and ranges to exempt from brute force protection.
9191Additional enhancements may be made in the future, within this app and/or in combination with Nextcloud Server for
9292additional monitoring or behavior adjustments related to brute force protection.
9393
94- .. warning :: Disabling the ``bruteforcesettings`` app does **not** disable brute force protection
95- - it merely removes your ability to adjust brute force related settings from the Web interface.
94+ .. warning ::
95+
96+ Disabling the ``bruteforcesettings `` app does **not ** disable brute force protection.
97+ The protection is built into Nextcloud Server core and is always active. Disabling the app
98+ only removes the ability to manage brute force settings from the Web interface.
9699
97100.. danger ::
98101
@@ -164,3 +167,31 @@ It's possible to exclude IP addresses from the brute force protection.
164167
165168 Any excluded IP address can perform authentication attempts without any throttling.
166169 It's best to exclude as few IP addresses as you can, or even none at all.
170+
171+ Brute force protection vs fail2ban
172+ -----------------------------------
173+
174+ Nextcloud's built-in brute force protection and fail2ban are complementary tools that
175+ operate at different layers of the stack. Using both together is recommended for
176+ production servers.
177+
178+ **Nextcloud brute force protection ** is built into Nextcloud Server itself (the
179+ ``bruteforcesettings `` app provides the admin UI and exclusion settings, but the
180+ protection runs regardless). It works at the **application layer **: it detects
181+ suspicious login patterns and adds progressively longer delays to requests from the
182+ offending IP address. It has full context about Nextcloud-specific endpoints and
183+ credentials, and it activates automatically without any operating system configuration.
184+
185+ **fail2ban ** works at the **OS/network layer **. It watches log files for failed login
186+ entries and instructs the system firewall (e.g. ``iptables `` or ``nftables ``) to
187+ block the offending IP outright. Blocked requests are dropped before they reach the
188+ web server, PHP, or the database, saving server resources entirely.
189+
190+ The two approaches are not mutually exclusive:
191+
192+ - Nextcloud brute force protection handles application-level throttling transparently,
193+ including for API clients and mobile apps, with no system configuration required.
194+ - fail2ban reduces server load by blocking repeat offenders at the network level
195+ before their requests consume any application resources.
196+
197+ For setup instructions for fail2ban with Nextcloud, see :ref: `setup_fail2ban `.
0 commit comments