• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)

claxman

claxman

New Pleskian
I receive an email every day at "03:32" with the time zone of (GMT +03:00) Europe/Istanbul. The email is sent from a mail server, and it indicates that the "IP Address Ban (Fail2Ban)" is automatically disabled at this time every night. I have to reactivate "Fail2Ban" every day.

I have attached the daily logs and email content before Fail2Ban closes. I have tried various changes for a week to determine the cause of this error. For example, I permanently deleted Fail2ban and reinstalled it from the Plesk updates section. I also changed Fail2Ban settings. However, the same problem persists.

I would be happy if you could help me with what I can do to prevent Fail2ban from automatically closing.


Mail Content:

1676806497039.png
Plesk Dashbord:

1676806434088.png

Fail2Ban Logs "/var/log/fail2ban.log":
2023-02-12 03:25:46,514 fail2ban.filter [2645835]: INFO [plesk-postfix] Found 141.98.11.146 - 2023-02-12 03:25:45
2023-02-12 03:26:25,678 fail2ban.filter [2645835]: INFO [plesk-postfix] Found 141.98.11.93 - 2023-02-12 03:26:25
2023-02-12 03:26:32,028 fail2ban.filter [2645835]: INFO [plesk-postfix] Found 141.98.10.72 - 2023-02-12 03:26:32
2023-02-12 03:27:36,153 fail2ban.server [2645835]: INFO Shutdown in progress...
2023-02-12 03:27:36,153 fail2ban.observer [2645835]: INFO Observer stop ... try to end queue 5 seconds
2023-02-12 03:27:36,207 fail2ban.observer [2645835]: INFO Observer stopped, 0 events remaining.
2023-02-12 03:27:36,233 fail2ban.server [2645835]: INFO Stopping all jails
2023-02-12 03:27:36,233 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/access_log'
2023-02-12 03:27:36,246 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/access_ssl_log'
2023-02-12 03:27:36,246 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/httpd/access_log'
2023-02-12 03:27:36,253 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain13.org/logs/access_log'
2023-02-12 03:27:36,253 fail2ban.filter [2645835]: ERROR Unable to get failures in /var/log/fail2ban.log
2023-02-12 03:27:36,253 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/fail2ban.log'
2023-02-12 03:27:36,253 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/plesk-roundcube/errors'
2023-02-12 03:27:36,258 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/plesk/panel.log'
2023-02-12 03:27:36,263 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain8.org/logs/error_log'
2023-02-12 03:27:36,265 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain14.org/logs/error_log'
2023-02-12 03:27:36,265 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain13.org/logs/error_log'
2023-02-12 03:27:36,265 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/httpd/error_log'
2023-02-12 03:27:36,265 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain5.org/logs/error_log'
2023-02-12 03:27:36,266 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain4.org/logs/error_log'
2023-02-12 03:27:36,271 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/maillog'
2023-02-12 03:27:36,272 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/secure'
2023-02-12 03:27:36,272 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/maillog'
2023-02-12 03:27:36,276 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/modsec_audit.log'
2023-02-12 03:27:36,280 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/secure'
2023-02-12 03:27:36,284 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/access_log'
2023-02-12 03:27:36,285 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain2.org/logs/proxy_access_log'
2023-02-12 03:27:36,290 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/proxy_access_ssl_log'
2023-02-12 03:27:36,291 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/proxy_access_log'
2023-02-12 03:27:36,291 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain1.org/logs/access_ssl_log'
2023-02-12 03:27:36,291 fail2ban.filter [2645835]: INFO Removed logfile: '/var/log/httpd/access_log'
2023-02-12 03:27:36,291 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain13.org/logs/proxy_access_ssl_log'
2023-02-12 03:27:36,293 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain8.org/logs/access_ssl_log'
2023-02-12 03:27:36,293 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain5.org/logs/proxy_access_log'
2023-02-12 03:27:36,293 fail2ban.actions [2645835]: NOTICE [plesk-panel] Flush ticket(s) with iptables-multiport-plesk-login
2023-02-12 03:27:36,293 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain15.org/logs/access_ssl_log'
2023-02-12 03:27:36,294 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain10.org/logs/access_ssl_log'
2023-02-12 03:27:36,294 fail2ban.actions [2645835]: NOTICE [plesk-apache] Flush ticket(s) with iptables-multiport-apache
2023-02-12 03:27:36,294 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain3.org/logs/proxy_access_ssl_log'
2023-02-12 03:27:36,295 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain14.org/logs/proxy_access_log'
2023-02-12 03:27:36,295 fail2ban.filter [2645835]: INFO Removed logfile: '/var/www/vhosts/system/domain13.org/logs/access_log'
2023-02-12 03:27:36,302 fail2ban.actions [2645835]: NOTICE [plesk-dovecot] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,359 fail2ban.actions [2645835]: NOTICE [plesk-roundcube] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,367 fail2ban.actions [2645835]: NOTICE [plesk-apache-badbot] Flush ticket(s) with iptables-multiport-BadBots
2023-02-12 03:27:36,378 fail2ban.actions [2645835]: NOTICE [plesk-wordpress] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,413 fail2ban.actions [2645835]: NOTICE [plesk-proftpd] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,428 fail2ban.actions [2645835]: NOTICE [ssh] Flush ticket(s) with iptables
2023-02-12 03:27:36,455 fail2ban.actions [2645835]: NOTICE [plesk-modsecurity] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,466 fail2ban.actions [2645835]: NOTICE [plesk-postfix] Flush ticket(s) with iptables-multiport
2023-02-12 03:27:36,906 fail2ban.actions [2645835]: NOTICE [recidive] Flush ticket(s) with iptables-allports
2023-02-12 03:27:36,910 fail2ban.actions [2645835]: NOTICE [recidive] Unban 202.55.132.190
2023-02-12 03:27:36,910 fail2ban.actions [2645835]: NOTICE [recidive] Unban 109.206.240.159
2023-02-12 03:27:36,910 fail2ban.actions [2645835]: NOTICE [recidive] Unban 141.98.10.76
2023-02-12 03:27:36,910 fail2ban.actions [2645835]: NOTICE [recidive] Unban 193.56.29.178
2023-02-12 03:27:36,911 fail2ban.actions [2645835]: NOTICE [recidive] Unban 87.246.7.229
2023-02-12 03:27:36,911 fail2ban.actions [2645835]: NOTICE [recidive] Unban 185.254.37.138
2023-02-12 03:27:37,501 fail2ban.jail [2645835]: INFO Jail 'plesk-apache-badbot' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'recidive' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-roundcube' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-panel' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-apache' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-dovecot' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'ssh' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-postfix' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-modsecurity' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-proftpd' stopped
2023-02-12 03:27:37,502 fail2ban.jail [2645835]: INFO Jail 'plesk-wordpress' stopped
2023-02-12 03:27:37,503 fail2ban.database [2645835]: INFO Connection to database closed.
2023-02-12 03:27:37,503 fail2ban.server [2645835]: INFO Exiting Fail2ban
Click to expand...
 

Attachments

  • 1676806497039.png
    1676806497039.png
    161.4 KB · Views: 8
Yes, the same issue occured with another user a couple of years ago. Fail2ban is stopped by firewalld, and that again is probably stopped by something that Atomic does or an incompatible add-on on the server. But it is impossible to say if that is the same cause here as we don't know what is installed on the system. I don't think that this should be handled in a forum dialogue, it's just a too complex multi-step action that is required, including temporary debug mode, fail2ban wrapper to get a process list output and further tests to check the root cause on the server.

@claxman I suggest to let support engineers to that on your server directly. Please refer them to PPS-9729, former ticket 260854 and article 360017100680 for quicker access to what needs to get checked.
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
 
I think that's a separate issue, as this one is easy to reproduce:
Code: 
[root@server cron.daily]# ./aum_nightly.sh
[root@server cron.daily]# panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7f6de1]

goroutine 1 [running]:
awp/awp_components/c_ossec.RulesXMLParse({0x933a84, 0x20})
    /builddir/build/BUILD/aum/src/awp/awp_components/c_ossec/RulesXMLParse.go:18 +0xc1
awp.rules_hids_state_update_base()
    /builddir/build/BUILD/aum/src/awp/awp.rules.hids.go:27 +0x3a
awp.RulesHidsStateUpdateBase(...)
    /builddir/build/BUILD/aum/src/awp/awp.rules.hids.go:19
main.report_init()
    /builddir/build/BUILD/aum/src/bin/aum_nightly.go:139 +0x19b
main.main()
    /builddir/build/BUILD/aum/src/bin/aum_nightly.go:45 +0x2e

Do you want me to report this as a bug?
 
Peter Debik said:
Yes, the same issue occured with another user a couple of years ago. Fail2ban is stopped by firewalld, and that again is probably stopped by something that Atomic does or an incompatible add-on on the server. But it is impossible to say if that is the same cause here as we don't know what is installed on the system. I don't think that this should be handled in a forum dialogue, it's just a too complex multi-step action that is required, including temporary debug mode, fail2ban wrapper to get a process list output and further tests to check the root cause on the server.

@claxman I suggest to let support engineers to that on your server directly. Please refer them to PPS-9729, former ticket 260854 and article 360017100680 for quicker access to what needs to get checked.
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
Click to expand...

maartenv said:
I think that's a separate issue, as this one is easy to reproduce:
Code: 
[root@server cron.daily]# ./aum_nightly.sh
[root@server cron.daily]# panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7f6de1]

goroutine 1 [running]:
awp/awp_components/c_ossec.RulesXMLParse({0x933a84, 0x20})
    /builddir/build/BUILD/aum/src/awp/awp_components/c_ossec/RulesXMLParse.go:18 +0xc1
awp.rules_hids_state_update_base()
    /builddir/build/BUILD/aum/src/awp/awp.rules.hids.go:27 +0x3a
awp.RulesHidsStateUpdateBase(...)
    /builddir/build/BUILD/aum/src/awp/awp.rules.hids.go:19
main.report_init()
    /builddir/build/BUILD/aum/src/bin/aum_nightly.go:139 +0x19b
main.main()
    /builddir/build/BUILD/aum/src/bin/aum_nightly.go:45 +0x2e

Do you want me to report this as a bug?
Click to expand...

Thanks for your answers.
 
Hi there,
I'm having exactly having the same issue on my server. In the ModSecurity module, I'm also using the Atomic ruleset, although the Standard (free) version. I also tried removing and reinstalling the Fail2Ban module, but this didn't work. Today I switched to Comodo free ruleset. Lets see if this helps.
If any updates are on this matter, would you please let me know?
Thanks!
 
I just received a message from Plesk Support that the issue has been escalated to the Plesk developer's team. I will keep you informed once I receive a reply from Plesk Support.
 
Hiljo_Lodewijk said:
Merhaba,
Tam olarak aynı sorunu sunucumda yaşıyorum. ModSecurity modülünde, Standart (ücretsiz) sürüm olmasına rağmen Atomic kural setini de kullanıyorum. Fail2Ban modülünü kaldırıp yeniden yüklemeyi de denedim ama bu işe yaramadı. Bugün Comodo ücretsiz kural setine geçtim. Bunun yardımcı olup olmadığını görelim.
Bu konuyla ilgili bir gelişme olursa lütfen beni bilgilendirir misiniz?
Teşekkürler!
Click to expand...

1676925904003.png


I tried both options. Error. I turned off "ModSecurity" completely. I'll get back to you about the situation tomorrow.
1676925941260.png
 
Hiljo_Lodewijk said:
Hi there,
I'm having exactly having the same issue on my server. In the ModSecurity module, I'm also using the Atomic ruleset, although the Standard (free) version. I also tried removing and reinstalling the Fail2Ban module, but this didn't work. Today I switched to Comodo free ruleset. Lets see if this helps.
If any updates are on this matter, would you please let me know?
Thanks!
Click to expand...
1676939606513.png

It always disables Fail2ban at the same time.
 
Plesk has investigated the issue on our servers and returned the results to Atomic. Atomic has confirmed this problem and will release an update as early as the end of next week. Afterward, the issue should no longer be observed.

In the meantime, you might disable/turn off the cron task "/etc/cron.daily/aum_nightly.sh" to avoid receiving notifications about this issue or wait for the update to be released.
 
There is ongoing correspondence. Plesk has disabled Atomic rulesets on new installations temporarily. Atomic had provided two fixes, but as far as I know neither completely resolved the issues. It is being worked on, no ETA yet.
 
You must log in or register to reply here.

Similar threads

I
Question Mail fail
Replies
0
Views
108
ivanes82
I
W
Issue scheduled task ERROR | /opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/wp-toolkit/scripts/instances-auto-update.php'
Replies
3
Views
902
Wolfgang Reidlinger
W
Tim_Wakeling
Issue Firewall suddenly took Plesk down overnight
2
Replies
23
Views
2K
Peter Debik
P
J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
1K
Mark_NLD
M
T
Question incoming mail DMARC failure - need expert eyes
Replies
5
Views
1K
TomBoB
T
Back
Top