Facebook
Twitter
Richieboydev
Basic Pleskian
filters--keep in kind this is after I deleted the named ones..
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Dns recurcion problem or attack?
- Thread starter Richieboydev
- Start date
filters--keep in kind this is after I deleted the named ones..
Richieboydev
Basic Pleskian
action.d
U
UFHH01
Guest
For /etc/fail2ban/jail.conf :
... more to follow in the next post, so that YOUR posts will match ONE answer/suggestion.
Find "ignoreip = 127.0.0.1/8" and replace with ignoreip = 127.0.0.1/8 XXX.XXX.XXX.XXX where "XXX.XXX.XXX.XXX" should be replaced with your server IP(s), always separated with a space.
Find "usedns = no" and replace with usedns = yes
Add the following lines after "usedns = yes"
banaction = iptables-multiport
mta = sendmail
protocol = tcp
logencoding = auto
banaction = iptables-multiport
mta = sendmail
protocol = tcp
logencoding = auto
... more to follow in the next post, so that YOUR posts will match ONE answer/suggestion.
Richieboydev
Basic Pleskian
Thanks,
I had my ips there but did not want to post them..lol I will make the other changes though
Thank you so much! You are really amazing to give me so much of your time.
I had my ips there but did not want to post them..lol I will make the other changes though
Thank you so much! You are really amazing to give me so much of your time.
U
UFHH01
Guest
Be aware that all your settings used for "findtime" and "bantime" are in SECONDS. If you put "findtime = 400" it means, that only entries in the past 6,6 minutes are watched with fail2ban for the specific logs and "bantime = 4000" defines, that the ban will be removed after 66,66 minutes from the iptables chain. As described earlier in my examples it's always smart, to raise the bantime for persistent, returning bad IPs. A bantime for 7 days will look like this "bantime = 604800" and you mostly aren't wrong using a 12 hour findtime with the option "findtime = 43200"
Here is my suggestion for YOUR jail.local ( this file won't be changed by Plesk, if there are any updates/upgrades, that's why it might be better to define some general jails with all the options here, but remember that IF you change things here, they are not anymore necessary in the plesk.conf :
Code:
##########
[DEFAULT]
findtime = 600
bantime = 600
##########
[plesk-apache]
enabled = true
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
##########
[apache-nohome]
enabled = true
filter = apache-nohome
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
findtime = 21600
##########
[plesk-apache-badbot]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
findtime = 43200
bantime = 604800
##########
[plesk-courierimap]
enabled = true
action = iptables-multiport[name="plesk-courierimap", port="imap,imap3,imaps,pop3,pop3s"]
logpath = /var/log/maillog
findtime = 43200
bantime = 604800
##########
[plesk-horde]
enabled = true
action = iptables-multiport[name="plesk-horde", port="http,https,7080,7081"]
logpath = /var/log/psa-horde/psa-horde.log
findtime = 43200
bantime = 604800
##########
[plesk-panel]
enabled = true
action = iptables-multiport[name="plesk-login", port="8880,8443"]
logpath = /var/log/plesk/panel.log
findtime = 43200
bantime = 604800
##########
[plesk-postfix]
enabled = true
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime = 43200
bantime = 604800
##########
[plesk-proftpd]
enabled = true
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
findtime = 43200
bantime = 604800
##########
[plesk-roundcube]
enabled = true
action = iptables-multiport[name="plesk-roundcube", port="http,https,7080,7081"]
logpath = /var/log/plesk-roundcube/errors
findtime = 43200
bantime = 604800
##########
[recidive]
enabled = true
action = iptables-allports[name=recidive]
findtime = 43200
bantime = 604800
##########
[ssh]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
##########
[named-refused-udp]
enabled = true
port = domain,953
protocol = udp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/messages
findtime = 43200
bantime = 604800
maxretry = 1
##########
[named-refused-tcp]
enabled = true
port = domain,953
protocol = tcp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/messages
findtime = 43200
bantime = 604800
maxretry = 1
##########Richieboydev
Basic Pleskian
Most of those time frames were set default that way or very close.
As for the jail.local are you saying I should add these via the Plesk panel or should I just replace the current file with this one? If I do everything will be lost with the next f2b plesk update?
As for the jail.local are you saying I should add these via the Plesk panel or should I just replace the current file with this one? If I do everything will be lost with the next f2b plesk update?
U
UFHH01
Guest
Because there are some complete rules now in "jail.local" you don't need all "plesk.conf" definitions, but due to the fact that Plesk will update/upgrade this file, without any notice to you, you could keep that file as it is, because the "jail.local" has a higher priority and will load AFTER the "plesk.conf".
If you still think, for a "cleaner" config after all ( !!! ), that you don't want to have double entries, please un-comment the lines in "plesk.conf" with a "#" in the front of the line, you don't want to have in "plesk.conf". Compair now the "jail.local" with the "plesk.conf" and make you adjustments.
Now we are again at this part, where it comes to the original filters and actions again. As you can see in the "jail.conf" I already added your specific "named-refused" - filter, but as you can see in your folder - listing, this filter is missing, as well as some other usefull filter, which you might want to have. Please go to github repo config folder "filter.d" and copy at least the filter "apache-nohome.conf" / "named-refused.conf" / and any other filter, which you like to have in your own fail2ban - filter - list.
The same for the "action.d" - rules. Please go to the github repo config folder "action.d" and copy at least the missing action - rules "blocklist_de.conf" / "iptables-common.conf" / "iptables-ipset-proto4.conf" / "iptables-ipset-proto6-allports.conf" / "iptables-ipset-proto6.conf" / ... but you are not doing something wrong, when you copy ALL "action.d" - rules to your own "action.d" - folder.
Now you are nearly done... ^^
To avoid a server restart and still flush ALL iptables rules, please use the command "iptables -F" . Afterwards restart the fail2ban daemon with the command "service fail2ban restart" , for that all fail2ban chains get created again. If you experience any problems, please do not hesitate to restart the fail2ban daemon again, before reporting it to this thread, with the fail2ban.log again, so you don't have to explain too much. ^^
If you still think, for a "cleaner" config after all ( !!! ), that you don't want to have double entries, please un-comment the lines in "plesk.conf" with a "#" in the front of the line, you don't want to have in "plesk.conf". Compair now the "jail.local" with the "plesk.conf" and make you adjustments.
Now we are again at this part, where it comes to the original filters and actions again. As you can see in the "jail.conf" I already added your specific "named-refused" - filter, but as you can see in your folder - listing, this filter is missing, as well as some other usefull filter, which you might want to have. Please go to github repo config folder "filter.d" and copy at least the filter "apache-nohome.conf" / "named-refused.conf" / and any other filter, which you like to have in your own fail2ban - filter - list.
The same for the "action.d" - rules. Please go to the github repo config folder "action.d" and copy at least the missing action - rules "blocklist_de.conf" / "iptables-common.conf" / "iptables-ipset-proto4.conf" / "iptables-ipset-proto6-allports.conf" / "iptables-ipset-proto6.conf" / ... but you are not doing something wrong, when you copy ALL "action.d" - rules to your own "action.d" - folder.
Now you are nearly done... ^^
To avoid a server restart and still flush ALL iptables rules, please use the command "iptables -F" . Afterwards restart the fail2ban daemon with the command "service fail2ban restart" , for that all fail2ban chains get created again. If you experience any problems, please do not hesitate to restart the fail2ban daemon again, before reporting it to this thread, with the fail2ban.log again, so you don't have to explain too much. ^^
U
UFHH01
Guest
No, please edit the files manually, because Plesk has it's own ways to save new jails and filters, which you can avoid by doing it manually. It you insist in doing it over the Plesk Panel, you have to go another way, because of the filter and action addings. ^^
Richieboydev
Basic Pleskian
This goes in the jail.local?
I'm sorry but I am a little confused and do not totally understand what I am supposed to do here.
I'm sorry but I am a little confused and do not totally understand what I am supposed to do here.
Code:
##########
[DEFAULT]
findtime = 600
bantime = 600
##########
[plesk-apache]
enabled = true
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
##########
[apache-nohome]
enabled = true
filter = apache-nohome
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
findtime = 21600
##########
[plesk-apache-badbot]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
logpath = logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/httpd/*error_log
maxretry = 5
findtime = 43200
bantime = 604800
##########
[plesk-courierimap]
enabled = true
action = iptables-multiport[name="plesk-courierimap", port="imap,imap3,imaps,pop3,pop3s"]
logpath = /var/log/maillog
findtime = 43200
bantime = 604800
##########
[plesk-horde]
enabled = true
action = iptables-multiport[name="plesk-horde", port="http,https,7080,7081"]
logpath = /var/log/psa-horde/psa-horde.log
findtime = 43200
bantime = 604800
##########
[plesk-panel]
enabled = true
action = iptables-multiport[name="plesk-login", port="8880,8443"]
logpath = /var/log/plesk/panel.log
findtime = 43200
bantime = 604800
##########
[plesk-postfix]
enabled = true
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime = 43200
bantime = 604800
##########
[plesk-proftpd]
enabled = true
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
findtime = 43200
bantime = 604800
##########
[plesk-roundcube]
enabled = true
action = iptables-multiport[name="plesk-roundcube", port="http,https,7080,7081"]
logpath = /var/log/plesk-roundcube/errors
findtime = 43200
bantime = 604800
##########
[recidive]
enabled = true
action = iptables-allports[name=recidive]
findtime = 43200
bantime = 604800
##########
[ssh]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
##########
[named-refused-udp]
enabled = true
port = domain,953
protocol = udp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/messages
findtime = 43200
bantime = 604800
maxretry = 1
##########
[named-refused-tcp]
enabled = true
port = domain,953
protocol = tcp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/messages
findtime = 43200
bantime = 604800
maxretry = 1
##########
U
UFHH01
Guest
You could as well rename the actual "jail.local" to "old.jail.local" and make another, new, fresh "/etc/fail2ban/jail.local".... with this way, you can easily restore your own config with another rename, after deleting the suggested one. 
Richieboydev
Basic Pleskian
Ok, the one you put together..I just that and replace the current jail.local? Then should I restart the service or wait? I should add ignore ip in it, etc?
I have downloaded fail2ban files so i have back ups.
I have downloaded fail2ban files so i have back ups.
U
UFHH01
Guest
Please, Richie.... I really tried to write a step-by-step workaround here for you... after you configured the "jail.local", please continue with the post http://forum.parallels.com/showthre...blem-or-attack&p=747822&viewfull=1#post747822 . If you question now every step again, the previous posts are pretty useless, don't you think as well?
Richieboydev
Basic Pleskian
i just did everything and restarted but got this:
Seems to be working though as I am already seeing a ton of banned ips from the named jail.. I think I just about got how this works. Now i just edit jail.local instead of in Plesk.. That is fine with me as long as works.
Code:
# iptables -F
# service fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban: WARNING 'filter' not defined in 'plesk-apache-badbot'. Using default one: ''
WARNING No filter set for jail plesk-apache-badbot
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'filter' not defined in 'plesk-roundcube'. Using default one: ''
WARNING No filter set for jail plesk-roundcube
WARNING 'filter' not defined in 'plesk-courierimap'. Using default one: ''
WARNING No filter set for jail plesk-courierimap
WARNING 'filter' not defined in 'plesk-apache'. Using default one: ''
WARNING No filter set for jail plesk-apache
WARNING 'filter' not defined in 'plesk-panel'. Using default one: ''
WARNING No filter set for jail plesk-panel
WARNING 'filter' not defined in 'plesk-postfix'. Using default one: ''
WARNING No filter set for jail plesk-postfix
WARNING 'filter' not defined in 'plesk-horde'. Using default one: ''
WARNING No filter set for jail plesk-horde
WARNING 'logpath' not defined in 'plesk-proftpd'. Using default one: '/var/log/messages'
WARNING 'filter' not defined in 'plesk-proftpd'. Using default one: ''
WARNING No filter set for jail plesk-proftpd
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
ERROR No file(s) found for glob logpath = /var/www/vhosts/system/*/logs/error_log
ERROR No file(s) found for glob logpath = /var/www/vhosts/system/*/logs/error_log
[ OK ]Seems to be working though as I am already seeing a ton of banned ips from the named jail..
I think I just about got how this works. Now i just edit jail.local instead of in Plesk.. That is fine with me as long as works.
Last edited:
Richieboydev
Basic Pleskian
I am very sorry but this was a bit confusing to me so I needed to clarify.
U
UFHH01
Guest
Warnings like this "WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' - - - can be ignored, because the default line in filters ( ignoreregex = ) are not essential and therefore could be left out, if the global ( default ) set is '' .
Filter warnings should never be ignored, but I'm a bit surprised, why your plesk.conf doesn't seem be loaded after the jail.local..... never mind... it's late here so I just give you the lines for it, which you have to insert into each jail in jail.local:
in jail "[plesk-roundcube]" ... after the line action, insert the line:
in jail "[plesk-courierimap]" ... after the line action, insert the line:
in jail "[plesk-apache]" ... after the line action, insert the line:
in jail "[plesk-panel]" ... after the line action, insert the line:
in jail "[plesk-postfix]" ... after the line action, insert the line:
in jail "[plesk-horde]" ... after the line action, insert the line:
in jail "[plesk-proftpd]" ... after the line action, insert the line:
For the logpath - warning for plesk-proftpd:
in jail "[plesk-proftpd]" ... after the line filter, insert the line:
in jail "[recidive]" ... after the line filter, insert the line:
After your modifications, please use these commands again :
Filter warnings should never be ignored, but I'm a bit surprised, why your plesk.conf doesn't seem be loaded after the jail.local..... never mind... it's late here so I just give you the lines for it, which you have to insert into each jail in jail.local:
in jail "[plesk-roundcube]" ... after the line action, insert the line:
filter = plesk-roundcube
in jail "[plesk-courierimap]" ... after the line action, insert the line:
filter = plesk-courierlogin
in jail "[plesk-apache]" ... after the line action, insert the line:
filter = apache-auth
in jail "[plesk-panel]" ... after the line action, insert the line:
filter = plesk-panel
in jail "[plesk-postfix]" ... after the line action, insert the line:
filter = postfix-sasl
in jail "[plesk-horde]" ... after the line action, insert the line:
filter = plesk-horde
in jail "[plesk-proftpd]" ... after the line action, insert the line:
filter = proftpd
For the logpath - warning for plesk-proftpd:
in jail "[plesk-proftpd]" ... after the line filter, insert the line:
logpath = /var/log/secure
in jail "[recidive]" ... after the line filter, insert the line:
logpath = /var/log/fail2ban.log
After your modifications, please use these commands again :
iptables -F
service fail2ban restart
service fail2ban restart
Richieboydev
Basic Pleskian
Thank you kind sir.
Richieboydev
Basic Pleskian
Looking better and I can probably figure out the rest.. only thing left is
i think I just have to add apache badbot to filter.d..thought I did already but may have missed it..
anyways thank you so very much
##I think I figure dit out--
apache bad bot filter was named wrong. The jail is called plesk-apache-badbot but the filter is called apache-badbot
Code:
Stopping fail2ban: [ OK ]
Starting fail2ban: ERROR Found no accessible config files for 'filter.d/plesk-a pache-badbot' under /etc/fail2ban
ERROR Unable to read the filter
ERROR Errors in jail 'plesk-apache-badbot'. Skipping...
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
[FAILED]
[root@talkdevelopment ~]#i think I just have to add apache badbot to filter.d..thought I did already but may have missed it..
anyways thank you so very much
##I think I figure dit out--
apache bad bot filter was named wrong. The jail is called plesk-apache-badbot but the filter is called apache-badbot
Last edited:
U
UFHH01
Guest
in jail "[plesk-apache-badbot]" ... after the line action, insert the line:
... and again, please flush again the iptables and restart fail2ban afterwards like before. ^^
If you still have some errors, or missbehaviour after all with fail2ban, please reply again in this thread... we "chatted" so long here, that I would be sad, if you still have issues....
filter = apache-badbot
... and again, please flush again the iptables and restart fail2ban afterwards like before. ^^
If you still have some errors, or missbehaviour after all with fail2ban, please reply again in this thread... we "chatted" so long here, that I would be sad, if you still have issues....
Richieboydev
Basic Pleskian
yes, I already figured out the name and did that but it is saying there is an error with the apache-badbot jail so I just disabled that one for now. No big deal as it was not the one i was really worried about.
Thank you for all of your help. i have learned and can do much of the fail2ban configuration myself now though it is confusing with Plesk.
Thanks again mate
Thank you for all of your help. i have learned and can do much of the fail2ban configuration myself now though it is confusing with Plesk.
Thanks again mate
Richieboydev
Basic Pleskian
in jail "[plesk-apache-badbot]" ... after the line action, insert the line:
filter = apache-badbot
... and again, please flush again the iptables and restart fail2ban afterwards like before. ^^
If you still have some errors, or missbehaviour after all with fail2ban, please reply again in this thread... we "chatted" so long here, that I would be sad, if you still have issues....
I just wanted to thank you again. I see how simple this is when not going through the Plesk panel. it was just confusing at first but i understand it now.
I fixed the apache bot.. It had the wrong log file. Everything seems to be working as it should now and I see a bunch of dns probers getting banned now..
Thank you so much for your time. I learned a great deal.
