• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Dns recurcion problem or attack?

Richieboydev

Basic Pleskian
I have been getting thousands of entries in my sys log like this--some with other domain names.

74.208.174.189_2014-08-11_16-59-43.png

Some like this as well

client 88.12.3.165#57517: query (cache) '74.208.226.5.dnsrooted.com/A/IN' denied

I have a few domains on this server and some are using custom name servers, Sites are using dedicated ips.

i have fail2ban set up but it is not doing anything against these.

Any idea as to what the problem is and how I should handle this?

Thanks,
Rich
 
Last edited:
To handle the "named-refused" jails with fail2ban, make sure, that you use TWO jails for the "tcp" AND "udp" protocols.

Example:
Code:
[named-refused-udp]

enabled  = true
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime  = 31536000 | bantime for 1 year
maxretry = 10 | the client might try 10 times before the IP gets banned

##########

[named-refused-tcp]

enabled  = true
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime  = 31536000 | bantime for 1 year
maxretry = 10 | the client might try 10 times before the IP gets banned
 
To handle the "named-refused" jails with fail2ban, make sure, that you use TWO jails for the "tcp" AND "udp" protocols.

Example:
Code:
[named-refused-udp]

enabled  = true
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime  = 31536000 | bantime for 1 year
maxretry = 10 | the client might try 10 times before the IP gets banned

##########

[named-refused-tcp]

enabled  = true
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime  = 31536000 | bantime for 1 year
maxretry = 10 | the client might try 10 times before the IP gets banned

I am not sure which log is the correct one as I do not see one called named? I think it may be the "messages" log but not sure ..

##Yes, the messages file..duh on me :)

##getting this after adding jails and restarting fail2ban

f2bmng failed: WARNING 'action' not defined in 'named-refused-udp'. Using default one: ''
ERROR Found no accessible config files for 'filter.d/named-refused' under /etc/fail2ban
ERROR Unable to read the filter
ERROR Errors in jail 'named-refused-udp'. Skipping...
WARNING 'action' not defined in 'named-refused-tcp'. Using default one: ''
ERROR Found no accessible config files for 'filter.d/named-refused' under /etc/fail2ban
ERROR Unable to read the filter
ERROR Errors in jail 'named-refused-tcp'. Skipping...
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload']' returned non-zero exit status 255
 
Last edited:
well, Richieboydev... the filter "named-refused" was just a suggestion, this is not automatically the name on YOUR system, or it even has to be created on YOUR system to work. ^^

... the same is for the action part... you sure have to add an action for the new jails.

A step-by-step way would be as followed:

1. Create a new filter and name this filter "named-refused"

The original - filter "named-refused" ( Link to github for named-refused.conf ) has the following content:
Code:
# Fail2Ban filter file for named (bind9).
#

# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };

[Definition]

# Daemon name
_daemon=named

# Shortcuts for easier comprehension of the failregex

__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$

# DEV Notes:
# Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#          
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko

2. Create two new jails ( for tcp and upd protocol ):

The original - jail is listed in jail.conf ( Link to github for jail.conf ) has the following content:
Code:
# DNS servers
#


# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter   = named-refused
# port     = domain,953
# protocol = udp
# logpath  = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port     = domain,953
logpath  = /var/log/named/security.log



... modified for you, the new jails would look like this ( you could insert that directly in "/etc/fail2ban/jail.local" , because it might be easier just to copy and paste my examples. If you geneate the two new jails with Plesk, make sure that you generated a filter like described above, because when generating a jail first, you won't find the filter in the drop-down box from Plesk. )
Code:
[named-refused-udp]

enabled   = true
port      = domain,953
protocol  = udp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath   = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests, I don't know your OS yet. :-)
bantime   = 31536000 | bantime for 1 year
maxretry  = 10 | the client might try 10 times before the IP gets banned

##########

[named-refused-tcp]

enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath   = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime   = 31536000 | bantime for 1 year
maxretry  = 10 | the client might try 10 times before the IP gets banned



Before activating these two new jails, you might want to test them first with "fail2ban-regex" ( example from the command line: "fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/YOURFILTER.conf" or "fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/YOURFILTER.local".
 
Last edited by a moderator:
well, Richieboydev... the filter "named-refused" was just a suggestion, this is not automatically the name on YOUR system, or it even has to be created on YOUR system to work. ^^

... the same is for the action part... you sure have to add an action for the new jails.

A step-by-step way would be as followed:

1. Create a new filter and name this filter "named-refused"

The original - filter "named-refused" ( Link to github for named-refused.conf ) has the following content:
Code:
# Fail2Ban filter file for named (bind9).
#

# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };

[Definition]

# Daemon name
_daemon=named

# Shortcuts for easier comprehension of the failregex

__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$

# DEV Notes:
# Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#          
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko

2. Create two new jails ( for tcp and upd protocol ):

The original - jail is listed in jail.conf ( Link to github for jail.conf ) has the following content:
Code:
# DNS servers
#


# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter   = named-refused
# port     = domain,953
# protocol = udp
# logpath  = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port     = domain,953
logpath  = /var/log/named/security.log



... modified for you, the new jails would look like this ( you could insert that directly in "/etc/fail2ban/jail.local" , because it might be easier just to copy and paste my examples. If you geneate the two new jails with Plesk, make sure that you generated a filter like described above, because when generating a jail first, you won't find the filter in the drop-down box from Plesk. )
Code:
[named-refused-udp]

enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath   = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests, I don't know your OS yet. :-)
bantime   = 31536000 | bantime for 1 year
maxretry  = 10 | the client might try 10 times before the IP gets banned

##########

[named-refused-tcp]

enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath   = /var/log/YOURLOGFILE | be sure to choose the right logfile on your system for named requests
bantime   = 31536000 | bantime for 1 year
maxretry  = 10 | the client might try 10 times before the IP gets banned



Before activating these two new jails, you might want to test them first with "fail2ban-regex" ( example from the command line: "fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/YOURFILTER.conf" or "fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/YOURFILTER.local".
Is this supposed to say udp? protocol = tcp? Both the top and bottom jail protocols say tcp..
 
I think I messed up something


HTML:
Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/named-refused.conf
Use         log file : /var/log/messages


Results
=======

Failregex: 62088 total
|-  #) [# of hits] regular expression
|   1) [62088] ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?                                                                                                                               :\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.                                                                                                                               ]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [62940] MONTH Day Hour:Minute:Second
`-

Lines: 62940 lines, 0 ignored, 62088 matched, 852 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 852 line

Also, I do not believe I have Bind9 as it does not come standard with Plesk yet..

FYI- Os is Centos - Latest and Latest Plesk
 
Last edited:
Is this supposed to say udp? protocol = tcp? Both the top and bottom jail protocols say tcp..

Sorry... I corrected my wrong example now. You are absolutly right, the first example supposed to be "udp".
 
For your concerns: It doesn't matter if you have "Bind9" installed on your server, the question for your log was just to make sure, you choosed the right logfile for your system messages. Fail2Ban cares about the banning and not about the software. ^^ In your case, you would like to get rid of the lot of client requests, which are listed in your logfiles, even that the requesting clients doesn't even know, if you have a DNS - server installed, or not. The filter "named-refused" was created for logs with the bind9 - daemon, so the introducing informations are just to make sure, that the used regex is the one, which is used in your logfiles.

Your messages - log seems quite big, that's why the output from the test isn't showing all found results. As suggested, you may use "--print-all-missed" after your "fail2ban-regex /etc/log/messages /etc/fail2ban/filter.d/named-refused.conf", but this will print out the whole lot, what fail2ban just found.... so it's pretty useless right now. But as you can see as well, is that the test found "62088" matches, which is the more interesting part. Your test was a success and therefore could be activated. :)
 
Last edited by a moderator:
That is good to know. Thanks.. Yeah it is the messages log..

Tons of these

Aug 17 05:05:40 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '113.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:09:27 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '56.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:24:02 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '76.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:25:10 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '56.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:27:49 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '2.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:44:27 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '56.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 05:44:49 talkdevelopment named[30148]: client 124.232.142.220#36359: query (cache) 'www.google.it/A/IN' denied
Aug 17 05:44:55 talkdevelopment named[30148]: client 207.219.56.130#45900: query (cache) '16.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:01:49 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '2.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:29:02 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '76.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:29:11 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '114.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:29:12 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '114.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:30:22 talkdevelopment named[30148]: client 124.232.142.220#43592: query (cache) 'www.google.it/A/IN' denied
Aug 17 06:36:45 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '171.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:36:45 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '171.3.10.10.in-addr.arpa/PTR/IN' denied
Aug 17 06:37:06 talkdevelopment named[30148]: client 124.232.142.220#56035: query (cache) 'www.google.it/A/IN' denied
Aug 17 06:54:40 talkdevelopment named[30148]: client 207.219.56.130#33612: query (cache) '56.3.10.10.in-addr.arpa/PTR/IN' denied
 
I just realized the named-conf filter is not showing in the drop down. I generated the jails after but I previous tried so this most likely messed this up..

jailconf and jail.local seem fine..now sure how to get the drop down showing or if it matters..

I am also getting this in f2b log

2014-08-17 03:24:48,173 fail2ban.actions[1694]: WARNING [plesk-postfix] Ban 88.249.121.158
2014-08-17 03:24:48,179 fail2ban.actions.action[1694]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-plesk-postfix[ \t]' returned 100
2014-08-17 03:24:48,179 fail2ban.actions.action[1694]: ERROR Invariant check failed. Trying to restore a sane environment
2014-08-17 03:24:48,187 fail2ban.actions.action[1694]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission -j fail2ban-plesk-postfix
iptables -F fail2ban-plesk-postfix
iptables -X fail2ban-plesk-postfix returned 100
2014-08-17 03:32:20,993 fail2ban.actions[1694]: WARNING [ssh] Ban 61.174.51.226
2014-08-17 03:32:20,998 fail2ban.actions.action[1694]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-SSH[ \t]' returned 100
2014-08-17 03:32:20,999 fail2ban.actions.action[1694]: ERROR Invariant check failed. Trying to restore a sane environment
 
Last edited:
The new jail should appear now in Plesk as well, after you generated it manually in the jail.local - file. To have the new filters appear on the drop-down-menu from Plesk, it is necessary that the filter already exists in "/etc/fail2ban/filter.d/" - this is the same for the actions in Plesk ( but now in "/etc/fail2ban/action.d/" ). You can create new filters with Plesk as well, when you move to the tab "Jails" and choose the option "manage filters" to have the option to add new ones there. I couldn't find an option in Plesk to add new actions though, but they might add this feature in the future as well. Untill then you have to add some new actions for the drop-down-menu manually as described above for your needs.
 
I never did get this working. I tried everything mentioned here but could not get the filter to show in the drop down and I could see my log that nothing was being banned regarding named. I have no idea what I did wrong.
 
then back to the start... ^^

Please open your ssh-client to your server and type service fail2ban restart to restart the Fail2Ban daemon. If you get any failures during the restart, please include the logfile entries from /var/log/fail2ban.log from the restart to the end, so we might analyze the failures and start debugging. :)
 
Thanks,

I removed those filters last night and the 2 jails as well.. Here is the log just now from the f2b restart--

too many characters for here..will see if I can attach instead.one sec

http://talkdevelopment.org/fail2ban.log

Tell me once you grab it and I will delete it from my server. it is too big for here though not huge.

Thanks again!

BTW-That is the entire log and not just from restart--
 
Last edited:
got it.... pls wait for my edit on this post to continue...


Edit: 1. First please edit the file /etc/fail2ban/jail.conf :

Find "backend = Gamin" and replace this with "backend = auto"​

Did you modify the file jail.conf with more, or did you leave the pre-configured standart from Plesk? If yes, you modified some more, please paste the whole jail.conf for debugging.



2. Please add the content from /etc/fail2ban/jail.local / /etc/fail2ban/jail.d/plesk.conf and list the files from /etc/fail2ban/filter.d/* and /etc/fail2ban/action.d/* so that we may have a look on your settings and adjustments. You might consider copying all files from the original github repo, if you changed any filters or actions, or if you would like to add the original files which come with the original fail2ban daemon ( https://github.com/fail2ban/fail2ban/tree/master/config - folders "filters.d" and "action.d"
 
Last edited by a moderator:
ok, going to see what you have here right now. Thanks

Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true



# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = no


# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
 
jail local

[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
destemail = server@#########.###
findtime = 450
bantime = 4000

[plesk-apache-badbot]
enabled = true

[recidive]
enabled = true

[plesk-roundcube]
enabled = true

[plesk-panel]
enabled = true

[plesk-apache]
enabled = true

[plesk-courierimap]
enabled = true

[ssh]
enabled = true

[plesk-postfix]
maxretry = 3
enabled = true
bantime = 7000

[plesk-horde]
enabled = true

[plesk-proftpd]
maxretry = 3
enabled = true
 
Plesk conf

# Plesk-specific fail2ban base jail specification file.
#
# YOU SHOULD NOT MODIFY THIS FILE.
# It will probably be overwitten or improved in a distribution update.
#
# All jail names should be under 20 symbols to avoid warnings

[plesk-proftpd]

enabled = false
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
filter = proftpd
logpath = /var/log/secure
maxretry = 5

[plesk-qmail]

enabled = false
action = iptables-multiport[name="plesk-qmail", port="smtp,smtps,submission"]
filter = plesk-qmail
logpath = /var/log/maillog
maxretry = 5

[plesk-postfix]

enabled = false
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
filter = postfix-sasl
logpath = /var/log/maillog
maxretry = 5

[plesk-courierimap]

enabled = false
action = iptables-multiport[name="plesk-courierimap", port="imap,imap3,imaps,pop3,pop3s"]
filter = plesk-courierlogin
logpath = /var/log/maillog
maxretry = 5

[plesk-dovecot]

enabled = false
action = iptables-multiport[name="plesk-dovecot", port="imap,imap3,imaps,pop3,pop3s,4190"]
filter = plesk-dovecot
logpath = /var/log/maillog
maxretry = 5

[plesk-horde]

enabled = false
action = iptables-multiport[name="plesk-horde", port="http,https,7080,7081"]
filter = plesk-horde
logpath = /var/log/psa-horde/psa-horde.log
maxretry = 5

[plesk-roundcube]

enabled = false
action = iptables-multiport[name="plesk-roundcube", port="http,https,7080,7081"]
filter = plesk-roundcube
logpath = /var/log/plesk-roundcube/errors
maxretry = 5

# HTTP servers
[plesk-apache]

enabled = false
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
filter = apache-auth
logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 6

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[plesk-apache-badbot]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
bantime = 172800
maxretry = 1

[plesk-panel]

enabled = false
action = iptables-multiport[name="plesk-login", port="8880,8443"]
filter = plesk-panel
logpath = /var/log/plesk/panel.log
maxretry = 5
 
Back
Top