• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Custom Fail2ban Jails not working

Azurel

Silver Pleskian
User name: Azurel

TITLE

Custom Fail2ban Jails not working

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS Linux 8.2.2004, Plesk Obsidian Version 18.0.29 Update #2

PROBLEM DESCRIPTION

JUMP TO POST #4

I have created a custom Jail. The Jail is fake working, I see attacker ips in my custom jail, but this ips still crawl my website. I see new requests in access_ssl_log.

STEPS TO REPRODUCE

Filter added
Code:
[Definition]
failregex = <HOST>$
ignoreregex =

Jail Added with
Code:
[banned_servers]
enabled = true
filter = server-block
action = iptables-allports[chain="INPUT", name="banned-servers", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
logpath = /var/www/vhosts/example.com/folder/fail2ban.log
maxretry = 1
IP adress ban period is 15552000. Its not in settings box.

gCWIUuX.jpg


ACTUAL RESULT

As example; you can see "2a02:908:1086:3340:789d:323:2d19:aab8" is blocked by jail and its in this jail since hours!
But with this command

grep '2a02:908:1086:3340:789d:323:2d19:aab8' /var/www/vhosts/example.com/logs/access_ssl_log | tail

I get fresh results from access_ssl_log with new timestamps [27/Aug/2020:21:54:48 +0200]

This ip make 10000 page requests per hour...

Thats not a ipv6 issue. The same problem is with all ips in this jail.

EXPECTED RESULT

IP should actually be blocked.

ANY ADDITIONAL INFORMATION

Or is here a issue with my action?

action = iptables-allports[chain="INPUT", name="banned-servers", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]

Template for
iptables-allports - Ban via iptables firewall, on all ports
is
iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", returntype="RETURN", lockingopt="-w"]

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
After change action from
iptables-allports[chain="INPUT", name="banned-servers", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
to
iptables-allports[chain="INPUT", name="banned-servers", port="ssh", protocol="tcp", returntype="RETURN", lockingopt="-w"]
its working.

The action above was from a older system imported (not plesk migrated). Can anyone tell me what exactly was the problem with this action?

Is there no test here whether the action works at all? The system here pretended that everything is ok, but a real ban was not created. It just showed in Plesk that the IP was supposedly banned.
 
To investigate:

1. Please enable this action again:

action = iptables-allports[chain="INPUT", name="banned-servers", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
2. Login to some Linux server and try to ssh to the Plesk server with the wrong password

3. Check what is going on in "/var/log/fail2ban.log"

4. Check if you have installed iptables or firewalld:
  • iptables -L -n
- firewall-cmd --check-config
 
Anyway, `blocktype="REJECT --reject-with icmp-port-unreachable"` and `iptables="iptables <lockingopt>"` don't looks as a real reason of failures because they are equal to defaults.
 
Back
Top