• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question blocked ip in Fail2ban and iptables in Syslog Watch again

shopuser

Basic Pleskian
Hi,

any ip adress are in fail2ban with the status blocked, and also in the ip tables ( per SSH added), but in the sys-log in plesk i can see the ip again with hacking activities, is this normal ?
 
Hi,

If IP-address is blocked by a firewall, you shouldn't see hacking activities in logs at the same time.
Maybe ban was temporary and activities start again after unblock or IP-addresses every time is different.
 
the ip is blocked in fail2ban, maybe works fail2ban not correctly.

in the log from fail2ban i can see :

2018-02-01 14:22:19,205 fail2ban.actions [1454]: NOTICE [plesk-postfix] 54.xx.xx.xxx already banned

in the sys-log i can see the:

Feb 1 14:17:45 plesk_saslauthd[16120]: No such user 'service@xxx' in mail authorization database
Feb 1 14:17:45 plesk_saslauthd[16120]: failed mail authenticatication attempt for user 'service@xxxxx' (password len=25)
Feb 1 14:17:45 postfix/smtpd[15879]: warning: 220.ip-x-x.eu[xxxxxxxx]: SASL LOGIN authentication failed: authentication failure
 
Last edited:
I suggest check firewall and firewall rules. Is it really active and really filter traffic from the IP-address? Fail2ban does not ban by itself, it is use system's firewall for that.
 
Back
Top