Resolved Bug in Plesk 12: Wrong fail2ban config (apache-auth)?

[King555]

Of course fail2ban is not a Parallels product, but it seems that the implementation into Plesk has a bug.

I activated all jails (including apache-auth).

I expect that this jail does only ban an IP when I have a htaccess-secured directory and I enter the password wrong several times.

But this jail also bans when opening a page several times which has an htaccess-file with this content:

deny from all

Maybe fail2ban reads a wrong string from the error.log, which can be adjusted (?) in the fail2ban config, which is shipped with Plesk12 (?).

OS: Debian 7.6
Plesk Version: 12.0.18 Update No. 13

 

[UFHH01]

Hello King555,

the apache-auth filter scans as well the apache error.log for entries with "client denied by server configuration". If you set up a htaccess - file which declares "deny from all" you actually tell the client, that he has no rights to visit this site. The error-log records this output when no succesfull authorisation is done within the declared period, or if no exemption is declared for the client ip. As you can see, this filter works exactly the way it is supposed to work and there is no bug, or any misconfiguration from Plesk.

If you insist that the standard apache-auth-filter should still be modified, regarding your needs, please feel free to edit the filter either over the Plesk menu, or directly at "/etc/fail2ban/filter.d/apache-auth.conf" . Be aware, that standard configurations could be as well modified or updated within a Plesk update/upgrade, so you might decide to create your own filter with your own specifications, which will be untouched by Plesk.

 

[King555]

Thanks, but does that mean that Plesk does not come with a fail2ban jail only for detecting wrong entered usernames/passwords in htaccess secured directories?

 

[UFHH01]

You might choose ( by editing the filter rules ), if you would like to detect common intruders with the apache-auth - filter. The basic filter is configured as followed:

failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
            ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$

As you can see, some of the failregex included in the apache-auth - filter do detect password failures, that you are looking for. If you don't like one of the basic filters, please edit them to fit your personal needs. Not all basic configurations from Plesk ( and as well from optional AddOns ) are as well "the best solution" for everyone. Sometimes you have to change this or that, to modify the configurations for your own "best solution".

 

[King555]

Thanks. I will edit the configuration.