• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Fail2Ban - Not Banning IP addresses

M

mendip_discovery

New Pleskian
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
 
mendip_discovery said:
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
Click to expand...
Have you been able to solve the issue? I am expriencing the same issue for the "plesk-postfix" jail with Plesk Obsidian 18.0.34.2 on Ubuntu 16.04.7 LTS.
 
@theunknownstuntman Could you please provide an excerpt from your /var/log/maillog and the section from /var/log/fail2ban.log where you see that the IP is banned, yet the mailserver is working with it?
 
@Peter Debik I hope this helps. I realize, that both Plesk and Fail2Ban v0.10.3.fix1 are quite old...

Fail2ban.log


2023-11-19 06:39:38,159 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:37
2023-11-19 06:39:38,232 fail2ban.actions [1523]: WARNING [plesk-postfix] 46.148.40.0 already banned
2023-11-19 06:39:40,592 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:40
Click to expand...

maillog.processed.3.gz

Nov 21 06:39:29 servername postfix/smtpd[7897]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:29 servername postfix/smtpd[3205]: disconnect from unknown[80.94.95.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:30 servername plesk_saslauthd[3396]: No such user 'xxx@xxx.xx' in mail authorization database
Nov 21 06:39:30 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'xxx@xxx.xx' (password len=8)
Nov 21 06:39:30 servername postfix/smtpd[32687]: warning: unknown[109.236.209.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:31 servername postfix/smtpd[32687]: lost connection after AUTH from unknown[109.236.209.0]
Nov 21 06:39:31 servername postfix/smtpd[32687]: disconnect from unknown[109.236.209.0] ehlo=1 auth=0/1 commands=1/2
Nov 21 06:39:33 servername postfix/smtpd[28382]: connect from unknown[46.148.40.0]
Nov 21 06:39:33 servername postfix/smtpd[3133]: connect from unknown[221.146.242.0]
Nov 21 06:39:33 servername postfix/smtpd[3205]: warning: hostname 120.hosted-by.bthoster.com does not resolve to address 45.129.14.0
Nov 21 06:39:33 servername postfix/smtpd[3205]: connect from unknown[45.129.14.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 21 06:39:37 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'mis123' (password len=6)
Nov 21 06:39:37 servername postfix/smtpd[3599]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:38 servername plesk_saslauthd[3396]: No such user 'xxx@xxx.xx' in mail authorization database
Nov 21 06:39:38 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'xxx@xxx.xx' (password len=18)
Nov 21 06:39:38 servername postfix/smtpd[3205]: warning: unknown[45.129.14.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:39 servername postfix/smtpd[3205]: disconnect from unknown[45.129.14.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:39 servername postfix/smtpd[3599]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:39 servername postfix/smtpd[3599]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Click to expand...
 
What's the output of
# iptables --list | grep 46.148.40
?

(Can take a while to execute, that'll be o.k.)
 
You must log in or register to reply here.

Similar threads

F
Issue Fail2ban: Ip addresses are not blocked by Recidive
Replies
14
Views
1K
frg62
F
Gianni
Question My IP in jail fail2ban using plesk
Replies
0
Views
456
Gianni
Gianni
D
Resolved fail2ban blocks IP from all visitors to a website
Replies
3
Views
2K
dicker
D
llucas
Question IP Address Banning (Fail2Ban) Configuration
Replies
2
Views
869
llucas
llucas
M
Question fail2ban, can I ban visitors with no user agent?
Replies
1
Views
1K
Kaspar@Plesk
Kaspar@Plesk
Back
Top