{"id":15051251,"url":"https://github.com/nextcloud/suspicious_login","last_synced_at":"2025-04-05T11:07:43.895Z","repository":{"id":34556855,"uuid":"159320980","full_name":"nextcloud/suspicious_login","owner":"nextcloud","description":"Detect and warn about suspicious IPs logging into Nextcloud","archived":false,"fork":false,"pushed_at":"2025-03-23T03:39:26.000Z","size":6624,"stargazers_count":90,"open_issues_count":39,"forks_count":27,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-29T10:05:27.194Z","etag":null,"topics":["deep-learning","intrusion-detection","machine-learning","nextcloud-app","privacy","security"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nextcloud.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-27T10:54:58.000Z","updated_at":"2025-03-16T01:48:41.000Z","dependencies_parsed_at":"2024-01-16T16:27:27.313Z","dependency_job_id":"566fd03d-5cd7-486e-b07a-4cb685c014a5","html_url":"https://github.com/nextcloud/suspicious_login","commit_stats":{"total_commits":773,"total_committers":27,"mean_commits":28.62962962962963,"dds":0.7102199223803364,"last_synced_commit":"bcd4cf647420a50991384896a82c35678b74b1fd"},"previous_names":[],"tags_count":294,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fsuspicious_login","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fsuspicious_login/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fsuspicious_login/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fsuspicious_login/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nextcloud","download_url":"https://codeload.github.com/nextcloud/suspicious_login/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247325693,"owners_count":20920714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deep-learning","intrusion-detection","machine-learning","nextcloud-app","privacy","security"],"created_at":"2024-09-24T21:32:19.910Z","updated_at":"2025-04-05T11:07:43.861Z","avatar_url":"https://github.com/nextcloud.png","language":"PHP","readme":"\u003c!--\n - SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors\n - SPDX-License-Identifier: AGPL-3.0-or-later\n--\u003e\n# ๐Ÿ”ฎ Nextcloud Suspicious Login Detection\n\n[![REUSE status](https://api.reuse.software/badge/github.com/nextcloud/suspicious_login)](https://api.reuse.software/info/github.com/nextcloud/suspicious_login)\n![Downloads](https://img.shields.io/github/downloads/nextcloud/suspicious_login/total.svg)\n[![Build Status](https://travis-ci.com/nextcloud/suspicious_login.svg?branch=master)](https://travis-ci.com/nextcloud/suspicious_login)\n[![Dependabot Status](https://api.dependabot.com/badges/status?host=github\u0026repo=nextcloud/suspicious_login)](https://dependabot.com)\n\nDetect and warn about suspicious IPs logging into Nextcloud\n\nThe app is still under development, so itโ€™s time for you to [get involved! ๐Ÿ‘ฉโ€๐Ÿ’ป](https://github.com/nextcloud/suspicious_login#development-setup)\n\n## Installation\n\n### Nextcloud 25 and newer\n\nThe app is [shipped](https://docs.nextcloud.com/server/latest/developer_manual/app_publishing_maintenance/release_process.html#shipped-apps) and comes with the installation of Nextcloud Server. No additional steps are necessary.\n\n### Nextcloud 24 and older\n\nOld versions of this app remain available through the [app store](https://apps.nextcloud.com/apps/suspicious_login). They can be [installed through Nextcloud's app management UI](https://docs.nextcloud.com/server/latest/admin_manual/apps_management.html#managing-apps). \n\n\u003e [!NOTE]\n\u003e Newer versions of the app are not included in the app store since it is now a shipped app.\n\n## Releases and CHANGELOGs\n\nAs a shipped app:\n\n- changes are posted within the [Nextcloud Server changelog](https://nextcloud.com/changelog/).\n- releases are **not** posted in this GitHub repository, but they are [tagged](https://github.com/nextcloud/suspicious_login/tags) for code perusal.\n- it is automatically kept up-to-date with each Nextcloud Server release.\n\n## How it works\n\n### Data collection\n\nOnce this app is enabled, it will automatically start tracking (IP, uid) tuples from\nsuccessful logins on the instance and feed them into the `login_address` table. This\ninsert operation is executed for the majority of requests (client authenticate on\nalmost all requests) and therefore has to be fast. In a background job, these rows\nwill be transformed into an aggregated format that is suitable for the training of\nthe neural net. The (IP, uid) tuple becomes (IP, uid, first_seen, last_seen, seen) so\nthat we know which (IP, uid) tuple has been seen first and last. The aggregated data\nis a compressed format of the raw data. The original data gets deleted and thus the\ndatabase does not need much space for the collected login data.\n\n### Neural net\n\nWhen enough data is collected โ€“ which by default is 60 days (!) โ€“ a first\ntraining run can be started.\n\nThe app registers a background job that invokes the training once a day.\nAs long as there isn't sufficient data, no trained model is generated.\n\n#### Manual training\n\nThe training can also be invoked via the OCC command line tool:\n\n```bash\nphp -f occ suspiciouslogin:train\n```\n\nThis command uses several sensible default that should work for instances of any size.\nThe ``--stats`` flag is useful to see the measured performance of the trained model\nafter the training finishes. The duration of the training run depends on the size\nof the input training set, but is usually between two to 15 minutes.\n\nThe full list of parameters, their description and default values can be seen with\n\n```bash\nphp -f occ suspiciouslogin:train --help\n```\n\n### Hyper parameter optimization (optional)\n\nTo find the best possible parameters for the training it's possible to start a *hyper\nparameter optimization* run via the CLI:\n\n```bash\nphp -f occ suspiciouslogin:optimize\n```\n\nThis command uses the heuristic *simulated annealing* algorithm to find optimal\nparameter sets in the multidimensional parameter space. By default this will do **100**\nsteps consisting of five training runs per step, hence this command might take a few\ndays to execute on large instances. On smaller ones it will also take a few hours.\n\n\n### Login classification\n\nAs soon as the first model is trained, the app will start classifying (IP, uid) tuples\non login. In contrast to the data collection it won't consider requests authenticated\nvia an app password as suspicious. Should it detect a password login where the (IP,\nuid) is classified as suspicious by the trained model, it will add an entry to the\n``suspicious_login`` table, including the timestamp, request id and URL.\n\n## Configuration\n\nBy default notifications about suspicious logins contain a link (button) to lookup more info about the noted IP address (geography, ISP). This link can be disabled if it isn't desired:\n\n`occ config:app:set --value 0 suspicious_login show_more_info_button`\n\n## Development setup\n\n1. โ˜ Clone the app into the `apps` folder of your Nextcloud: `git clone https://github.com/nextcloud/suspicious_login.git`\n2. ๐Ÿ’ป Run `npm i` or `krankerl up` to install the dependencies\n3. ๐Ÿ— To build the Javascript whenever you make changes, run `npm run dev`\n4. โ˜ Enable the app through the app management of your Nextcloud or run `krankerl enable`\n5. ๐Ÿ‘ Partytime! Help fix [some issues](https://github.com/nextcloud/suspicious_login/issues) and [review pull requests](https://github.com/nextcloud/suspicious_login/pulls)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextcloud%2Fsuspicious_login","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextcloud%2Fsuspicious_login","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextcloud%2Fsuspicious_login/lists"}