• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Dns recurcion problem or attack?

For /etc/fail2ban/jail.conf :

Find "ignoreip = 127.0.0.1/8" and replace with ignoreip = 127.0.0.1/8 XXX.XXX.XXX.XXX where "XXX.XXX.XXX.XXX" should be replaced with your server IP(s), always separated with a space.​

Find "usedns = no" and replace with usedns = yes

Add the following lines after "usedns = yes"

banaction = iptables-multiport

mta = sendmail

protocol = tcp

logencoding = auto




... more to follow in the next post, so that YOUR posts will match ONE answer/suggestion.
 
Thanks,

I had my ips there but did not want to post them..lol I will make the other changes though

Thank you so much! You are really amazing to give me so much of your time.
 
jail.local

[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
destemail = server@#########.###
findtime = 450
bantime = 4000

[plesk-apache-badbot]
enabled = true

[recidive]
enabled = true

[plesk-roundcube]
enabled = true

[plesk-panel]
enabled = true

[plesk-apache]
enabled = true

[plesk-courierimap]
enabled = true

[ssh]
enabled = true

[plesk-postfix]
maxretry = 3
enabled = true
bantime = 7000

[plesk-horde]
enabled = true

[plesk-proftpd]
maxretry = 3
enabled = true

Be aware that all your settings used for "findtime" and "bantime" are in SECONDS. If you put "findtime = 400" it means, that only entries in the past 6,6 minutes are watched with fail2ban for the specific logs and "bantime = 4000" defines, that the ban will be removed after 66,66 minutes from the iptables chain. As described earlier in my examples it's always smart, to raise the bantime for persistent, returning bad IPs. A bantime for 7 days will look like this "bantime = 604800" and you mostly aren't wrong using a 12 hour findtime with the option "findtime = 43200"

Here is my suggestion for YOUR jail.local ( this file won't be changed by Plesk, if there are any updates/upgrades, that's why it might be better to define some general jails with all the options here, but remember that IF you change things here, they are not anymore necessary in the plesk.conf :

Code:
##########

[DEFAULT]
findtime = 600
bantime = 600

##########

[plesk-apache]
enabled = true
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5

##########

[apache-nohome]
enabled = true
filter = apache-nohome
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5
findtime = 21600

##########

[plesk-apache-badbot]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5
findtime  = 43200
bantime   = 604800

##########

[plesk-courierimap]
enabled = true
action = iptables-multiport[name="plesk-courierimap", port="imap,imap3,imaps,pop3,pop3s"]
logpath = /var/log/maillog
findtime  = 43200
bantime   = 604800

##########

[plesk-horde]
enabled = true
action = iptables-multiport[name="plesk-horde", port="http,https,7080,7081"]
logpath = /var/log/psa-horde/psa-horde.log
findtime  = 43200
bantime   = 604800

##########

[plesk-panel]
enabled = true
action = iptables-multiport[name="plesk-login", port="8880,8443"]
logpath = /var/log/plesk/panel.log
findtime  = 43200
bantime   = 604800

##########

[plesk-postfix]
enabled = true
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime  = 43200
bantime   = 604800

##########

[plesk-proftpd]
enabled = true
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
findtime  = 43200
bantime   = 604800

##########

[plesk-roundcube]
enabled = true
action = iptables-multiport[name="plesk-roundcube", port="http,https,7080,7081"]
logpath = /var/log/plesk-roundcube/errors
findtime  = 43200
bantime   = 604800

##########

[recidive]
enabled = true
action = iptables-allports[name=recidive]
findtime  = 43200
bantime   = 604800

##########

[ssh]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath   = /var/log/secure

##########

[named-refused-udp]
enabled   = true
port      = domain,953
protocol  = udp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath   = /var/log/messages
findtime  = 43200
bantime   = 604800
maxretry  = 1

##########

[named-refused-tcp]
enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath   = /var/log/messages
findtime  = 43200
bantime   = 604800
maxretry  = 1

##########
 
Most of those time frames were set default that way or very close.

As for the jail.local are you saying I should add these via the Plesk panel or should I just replace the current file with this one? If I do everything will be lost with the next f2b plesk update?
 
Because there are some complete rules now in "jail.local" you don't need all "plesk.conf" definitions, but due to the fact that Plesk will update/upgrade this file, without any notice to you, you could keep that file as it is, because the "jail.local" has a higher priority and will load AFTER the "plesk.conf".

If you still think, for a "cleaner" config after all ( !!! ), that you don't want to have double entries, please un-comment the lines in "plesk.conf" with a "#" in the front of the line, you don't want to have in "plesk.conf". Compair now the "jail.local" with the "plesk.conf" and make you adjustments.




Now we are again at this part, where it comes to the original filters and actions again. As you can see in the "jail.conf" I already added your specific "named-refused" - filter, but as you can see in your folder - listing, this filter is missing, as well as some other usefull filter, which you might want to have. Please go to github repo config folder "filter.d" and copy at least the filter "apache-nohome.conf" / "named-refused.conf" / and any other filter, which you like to have in your own fail2ban - filter - list.



The same for the "action.d" - rules. Please go to the github repo config folder "action.d" and copy at least the missing action - rules "blocklist_de.conf" / "iptables-common.conf" / "iptables-ipset-proto4.conf" / "iptables-ipset-proto6-allports.conf" / "iptables-ipset-proto6.conf" / ... but you are not doing something wrong, when you copy ALL "action.d" - rules to your own "action.d" - folder.





Now you are nearly done... ^^

To avoid a server restart and still flush ALL iptables rules, please use the command "iptables -F" . Afterwards restart the fail2ban daemon with the command "service fail2ban restart" , for that all fail2ban chains get created again. If you experience any problems, please do not hesitate to restart the fail2ban daemon again, before reporting it to this thread, with the fail2ban.log again, so you don't have to explain too much. ^^
 
Most of those time frames were set default that way or very close.

As for the jail.local are you saying I should add these via the Plesk panel or should I just replace the current file with this one? If I do everything will be lost with the next f2b plesk update?

No, please edit the files manually, because Plesk has it's own ways to save new jails and filters, which you can avoid by doing it manually. It you insist in doing it over the Plesk Panel, you have to go another way, because of the filter and action addings. ^^
 
This goes in the jail.local?

I'm sorry but I am a little confused and do not totally understand what I am supposed to do here.
Code:
##########

[DEFAULT]
findtime = 600
bantime = 600

##########

[plesk-apache]
enabled = true
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5

##########

[apache-nohome]
enabled = true
filter = apache-nohome
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5
findtime = 21600

##########

[plesk-apache-badbot]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
	/var/log/httpd/*error_log
maxretry = 5
findtime  = 43200
bantime   = 604800

##########

[plesk-courierimap]
enabled = true
action = iptables-multiport[name="plesk-courierimap", port="imap,imap3,imaps,pop3,pop3s"]
logpath = /var/log/maillog
findtime  = 43200
bantime   = 604800

##########

[plesk-horde]
enabled = true
action = iptables-multiport[name="plesk-horde", port="http,https,7080,7081"]
logpath = /var/log/psa-horde/psa-horde.log
findtime  = 43200
bantime   = 604800

##########

[plesk-panel]
enabled = true
action = iptables-multiport[name="plesk-login", port="8880,8443"]
logpath = /var/log/plesk/panel.log
findtime  = 43200
bantime   = 604800

##########

[plesk-postfix]
enabled = true
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime  = 43200
bantime   = 604800

##########

[plesk-proftpd]
enabled = true
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
findtime  = 43200
bantime   = 604800

##########

[plesk-roundcube]
enabled = true
action = iptables-multiport[name="plesk-roundcube", port="http,https,7080,7081"]
logpath = /var/log/plesk-roundcube/errors
findtime  = 43200
bantime   = 604800

##########

[recidive]
enabled = true
action = iptables-allports[name=recidive]
findtime  = 43200
bantime   = 604800

##########

[ssh]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath   = /var/log/secure

##########

[named-refused-udp]
enabled   = true
port      = domain,953
protocol  = udp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath   = /var/log/messages
findtime  = 43200
bantime   = 604800
maxretry  = 1

##########

[named-refused-tcp]
enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath   = /var/log/messages
findtime  = 43200
bantime   = 604800
maxretry  = 1

##########
 
You could as well rename the actual "jail.local" to "old.jail.local" and make another, new, fresh "/etc/fail2ban/jail.local".... with this way, you can easily restore your own config with another rename, after deleting the suggested one. :)
 
Ok, the one you put together..I just that and replace the current jail.local? Then should I restart the service or wait? I should add ignore ip in it, etc?

I have downloaded fail2ban files so i have back ups.
 
i just did everything and restarted but got this:

Code:
# iptables -F
# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban: WARNING 'filter' not defined in 'plesk-apache-badbot'. Using default one: ''
WARNING No filter set for jail plesk-apache-badbot
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'filter' not defined in 'plesk-roundcube'. Using default one: ''
WARNING No filter set for jail plesk-roundcube
WARNING 'filter' not defined in 'plesk-courierimap'. Using default one: ''
WARNING No filter set for jail plesk-courierimap
WARNING 'filter' not defined in 'plesk-apache'. Using default one: ''
WARNING No filter set for jail plesk-apache
WARNING 'filter' not defined in 'plesk-panel'. Using default one: ''
WARNING No filter set for jail plesk-panel
WARNING 'filter' not defined in 'plesk-postfix'. Using default one: ''
WARNING No filter set for jail plesk-postfix
WARNING 'filter' not defined in 'plesk-horde'. Using default one: ''
WARNING No filter set for jail plesk-horde
WARNING 'logpath' not defined in 'plesk-proftpd'. Using default one: '/var/log/messages'
WARNING 'filter' not defined in 'plesk-proftpd'. Using default one: ''
WARNING No filter set for jail plesk-proftpd
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
ERROR  No file(s) found for glob logpath = /var/www/vhosts/system/*/logs/error_log
ERROR  No file(s) found for glob logpath = /var/www/vhosts/system/*/logs/error_log
                                                           [  OK  ]

Seems to be working though as I am already seeing a ton of banned ips from the named jail.. :) I think I just about got how this works. Now i just edit jail.local instead of in Plesk.. That is fine with me as long as works.
 
Last edited:
Warnings like this "WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' - - - can be ignored, because the default line in filters ( ignoreregex = ) are not essential and therefore could be left out, if the global ( default ) set is '' .

Filter warnings should never be ignored, but I'm a bit surprised, why your plesk.conf doesn't seem be loaded after the jail.local..... never mind... it's late here so I just give you the lines for it, which you have to insert into each jail in jail.local:

in jail "[plesk-roundcube]" ... after the line action, insert the line:
filter = plesk-roundcube​

in jail "[plesk-courierimap]" ... after the line action, insert the line:
filter = plesk-courierlogin​

in jail "[plesk-apache]" ... after the line action, insert the line:
filter = apache-auth​

in jail "[plesk-panel]" ... after the line action, insert the line:
filter = plesk-panel​

in jail "[plesk-postfix]" ... after the line action, insert the line:
filter = postfix-sasl​

in jail "[plesk-horde]" ... after the line action, insert the line:
filter = plesk-horde​

in jail "[plesk-proftpd]" ... after the line action, insert the line:
filter = proftpd​


For the logpath - warning for plesk-proftpd:

in jail "[plesk-proftpd]" ... after the line filter, insert the line:
logpath = /var/log/secure​

in jail "[recidive]" ... after the line filter, insert the line:
logpath = /var/log/fail2ban.log​



After your modifications, please use these commands again :
iptables -F
service fail2ban restart​
 
Looking better and I can probably figure out the rest.. only thing left is

Code:
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban: ERROR  Found no accessible config files for 'filter.d/plesk-a                                pache-badbot' under /etc/fail2ban
ERROR  Unable to read the filter
ERROR  Errors in jail 'plesk-apache-badbot'. Skipping...
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
                                                           [FAILED]
[root@talkdevelopment ~]#

i think I just have to add apache badbot to filter.d..thought I did already but may have missed it..

anyways thank you so very much

##I think I figure dit out--

apache bad bot filter was named wrong. The jail is called plesk-apache-badbot but the filter is called apache-badbot
 
Last edited:
in jail "[plesk-apache-badbot]" ... after the line action, insert the line:
filter = apache-badbot​

... and again, please flush again the iptables and restart fail2ban afterwards like before. ^^



If you still have some errors, or missbehaviour after all with fail2ban, please reply again in this thread... we "chatted" so long here, that I would be sad, if you still have issues.... :)
 
yes, I already figured out the name and did that but it is saying there is an error with the apache-badbot jail so I just disabled that one for now. No big deal as it was not the one i was really worried about. :)

Thank you for all of your help. i have learned and can do much of the fail2ban configuration myself now though it is confusing with Plesk.

Thanks again mate
 
in jail "[plesk-apache-badbot]" ... after the line action, insert the line:
filter = apache-badbot​

... and again, please flush again the iptables and restart fail2ban afterwards like before. ^^



If you still have some errors, or missbehaviour after all with fail2ban, please reply again in this thread... we "chatted" so long here, that I would be sad, if you still have issues.... :)


I just wanted to thank you again. I see how simple this is when not going through the Plesk panel. it was just confusing at first but i understand it now.

I fixed the apache bot.. It had the wrong log file. Everything seems to be working as it should now and I see a bunch of dns probers getting banned now..

Thank you so much for your time. I learned a great deal.
 
Back
Top