1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Ban IP after X login attempts

Discussion in 'Plesk Suggestions and Feedback' started by schlimpf, Jul 25, 2012.

  1. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    As the title says, I would like to have a setting to automatically ban a IP after X login attemts.
    Am I the only one who wants a feature like this? I think this is a substantial feature.

    Regards,
    schlimpf
     
    Last edited: Jul 26, 2012
  2. DaveKay

    DaveKay Regular Pleskian

    17
    85%
    Joined:
    Jan 2, 2012
    Messages:
    226
    Likes Received:
    0
    If you mean login to the admin interface,then yes, this would be a useful feature!
     
  3. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    Yes, i mean the admin interface
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,556
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    You can define allowed network here - Home>Tools & Settings>IP access restriction management
     
  5. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    Right, but I do not want to allow single IPs, but automatically ban IPs with a preset number of failed login attempts
     
  6. Mshaker

    Mshaker Basic Pleskian

    18
    85%
    Joined:
    Oct 21, 2010
    Messages:
    75
    Likes Received:
    0
    At least a captcha

    This should really be on the development list. If not banning the IP address then at least add a captcha after X failed attempts. If I view all our plesk server access logs then you can see distributed attacks with people trying to bruteforce the plesk admin panel.
     
  7. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    Where is the access log for the webadmin located?
     
    Last edited: Jul 26, 2012
  8. Mshaker

    Mshaker Basic Pleskian

    18
    85%
    Joined:
    Oct 21, 2010
    Messages:
    75
    Likes Received:
    0
    You should be able to view them here:

    /usr/local/psa/admin/logs/httpsd_access_log
     
  9. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    That's for sure a very important feature especially for Mail, FTP & Control Panel. I like the cPanel default "cPHulk Brute Force Protection"

    Surely to the least we should have something like that in default Plesk installation.
     
  10. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    Any feedback from the parallels team?
     
  11. Dan Mikkelsen

    Dan Mikkelsen Basic Pleskian

    21
     
    Joined:
    Oct 13, 2010
    Messages:
    50
    Likes Received:
    0
    Anybody good at fail2ban, or/and at regex?

    Then we could add it in the fail2ban rules. I already have it installed to avoid bruteforcing SSH, FTP and Email.
    Excellent program, but i thought plesk had a block after x number of attempts :-/
     
  12. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    Does it? Am not aware of any ...
     
  13. Dan Mikkelsen

    Dan Mikkelsen Basic Pleskian

    21
     
    Joined:
    Oct 13, 2010
    Messages:
    50
    Likes Received:
    0
  14. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
  15. burnleyvic

    burnleyvic Regular Pleskian

    17
    85%
    Joined:
    Nov 9, 2011
    Messages:
    174
    Likes Received:
    1
    With fail2ban I'm checking /usr/local/psa/admin/logs/httpsd_access_log against the following regex:
    failregex = ::ffff:<HOST> .*POST /login_up.php3 HTTP
    Then, in /etc/fail2ban/jail.local I've got the following thresholds:
    maxretry=10 w. findtime=60 -> 10min ban
    maxretry=20 w. findtime=60 -> 2hr ban
    Works for me(TM)
     
  16. SinišaB

    SinišaB New Pleskian

    6
    70%
    Joined:
    Jan 19, 2014
    Messages:
    5
    Likes Received:
    0
    It's unbelievable Plesk still doesn't have a mechanism to protect itself from brute-force login attacks!

    While we are waiting for authors to make it available as an option in the Admin panel, here's how I do it:

    Have a look at database "psa", table "log_actions".
    Plesk logs failed logins here, unfortunately without the username entered. Nevertheless, we can see the IP address in this table.
    The field "action_id" has the value of 125 for failed logins. The field "ip_address" holds the IP address.. :)

    So, we can create the script, run from cron every 5 minutes:

    Code:
    mysql -NBe "SELECT CONCAT('host=',ip_address),date FROM log_actions WHERE action_id=125 AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(date) < 300" psa | while read line
    do
            logger -p auth.warn -t PLESK-LOGIN-FAILED $line
    done
    
    OK, fine, now we can configure fail2ban to detect this. First, create the new filter rule, for example: /etc/fail2ban/filter.d/plesk-login.conf :

    Code:
    [Definition]
    failregex =  PLESK-LOGIN-FAILED: host=<HOST>
    
    Finally, create the appropriate fail2ban jail in /etc/fail2ban/jail.local :

    Code:
    [plesk-login]
    enabled  = true
    port     = 8443
    action   = iptables-multiport[name=plesk-login, port=8443, protocol=tcp] # ... etc (chnage it to suit your needs)
    filter   = plesk-login
    logpath  = /var/log/auth.log
    findtime = 300
    maxretry = 5
    bantime  = 86400
    
    Restart fail2ban service.

    Et voila... :)
     
  17. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,556
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
  18. SinišaB

    SinišaB New Pleskian

    6
    70%
    Joined:
    Jan 19, 2014
    Messages:
    5
    Likes Received:
    0
    Hello, IgorG, and thanks for replying.

    Unfortunately, restricting the panel access statically by IP is not an option in many cases. Customers could be .. well.. anywhere. :)
    I've already heard about future fail2ban integration, I just hope it won't mess up already working f2b installations.

    Have a nice day! :)
     
  19. EgidijusS

    EgidijusS Regular Pleskian

    23
    23%
    Joined:
    Jan 22, 2010
    Messages:
    183
    Likes Received:
    0
    Location:
    Vilnius, Lithuania
    Agree with SinišaB. Restricting the panel access statically by IP is not an option in many cases. I believe that feature will not be hard to implement, when fail2ban will be available in plesk. I hope ;) Typical solution for that - after 3 invalid logins ban for 30 min.
     
  20. SinišaB

    SinišaB New Pleskian

    6
    70%
    Joined:
    Jan 19, 2014
    Messages:
    5
    Likes Received:
    0
    We need to be able to lock out an IP after certain number of failed login attempts for any user, not just for those with admin privileges.
    Current mechanism restricts admin access only, but leaves customers' accounts open to password guessing attacks.
     
Loading...