How to setup fail2ban for admin attacks?

Lee_Colarelli · Feb 3, 2015

Hi all, I have just looked at the plesk panel log - /usr/local/psa/admin/logs/panel.log - and seen an alarming number of attempts to access plesk using the admin user. i.e.

[2015-02-02 14:53:46] ERR [panel] [Action Log] Failed login attempt with login 'admin' from IP 50.62.148.176

I have fail2ban installed and set up for other things. Can anybody help me set it up for this? Thank you in advance!

UFHH01 · Feb 3, 2015

Hi Lee_Colarelli,

Plesk's extension fail2ban has a pre-configured jail "plesk-panel" which should monitor the log "/var/log/plesk/panel.log" ( "/usr/local/psa/admin/logs/panel.log" should be a symlink to the mentioned log - file. ), which could be used by you. As well, consider using the "recidive" - jail, for recurring script kiddies. ^^

The pre-configured "plesk-panel" jail could look like this:

Code:

[plesk-panel]

enabled  = false
action   = iptables-multiport[name="plesk-login", port="8880,8443"]
filter   = plesk-panel
logpath  = /var/log/plesk/panel.log
maxretry = 5

Lee_Colarelli · Feb 3, 2015

Brilliant thanks! Never realised!

How to setup fail2ban for admin attacks?

Lee_Colarelli

New Pleskian

UFHH01

Guest

Lee_Colarelli

New Pleskian

Similar threads