• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue All visitors are banned by Fail2ban after update of new set role of modsecurity

S

salvo89

New Pleskian
Hello,

today at 9:18 AM, in my VPS with Plesk was autoinstalled a new set of rules of Modsecurity (Fail2Ban).

Starting from that time, all visits and visitors to all the internet sites hosted in the VPS are blocked for 10 minutes by Fail2Ban. I checked the IPs and they are all trusted IPs. Each time I have to manually unlock them.

How I can solve the problem? I don't want to disable Fail2Ban, but if I stop the Fail2ban service all work correctly. This problem arose after today's automatic update of the modsecurity rules.

Thanks for all.
 
You could continue using fail2ban but only deactivate the ModSecurity jail. This will still give you a lot of protection, it just won't block IPs for failing all the false positives that the Comodo ruleset generates. It's been a pain here, too, on the Obisidian installations. Mostly for Wordpress, but sometimes also Nextcloud. There are just some rules that are triggered by very normal operations. The fail2ban ModSecurity jail picks up on it and block the IPs.
 
GUI > Tools & Settings > Security > IP Address Banning > Jails
Uncheck the "ModSecurity" jail, then click the "deactivate" button.
 
ok thanks. But if I deactive the jail I lost the protection of IP on brute force? The malicious IPs will be block?
 
ModSecurity will still respond to the offending URLs. Only Fail2Ban won't block the IP of the offender, and it is only related to ModSecurity related 403 errors. All other jails will stay intact. It's not such a big risk.
 
Now I have, in Tools & Settings > Server Management > Services Management, the service IP Addresses Banning (Fail2Ban) set to "Arrested". So I must restart the service and, after this, go to
Tools & Settings > Security > IP Address Banning > Jails and uncheck or shutdown the "plesk-modsecurity"?

Thanks :)
 
You must log in or register to reply here.

Similar threads

ic3_2k
Issue Problem with Modsecurity 2.9. Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection
Replies
1
Views
492
Peter Debik
P
A
Question Some security questions
Replies
2
Views
589
amba1980
A
J
Resolved Fail2Ban banning without any reason
Replies
6
Views
2K
Maarten
M
Tim Clarke
Issue Problems with recidive jail
Replies
3
Views
434
La Linea
L
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
3
Views
510
Tomsohner
T
Back
Top