Resolved Error fail2ban since update to 18.0.63

[Kulturmensch]

Server operating system version

Ubuntu 22.04.4 LTS

Plesk version and microupdate number

Plesk Obsidian v18.0.63_build1800240802.12 os_Ubuntu 22.04

Since the update to Plesk 18.0.63 trying to open from the Plesk UI via tools/fail2ban results in an error:

f2bmng failed: ERROR:__main__:No section: 'plesk-one-week-ban'


Trying the solution from https://support.plesk.com/hc/en-us/...-Jails-in-Fail2Ban-f2bmng-failed-ERROR-f2bmng
did not help.

 

[Sebahat.hadzhi]

Hello, @Kulturmensch. I attempted to reproduce the reported error on a Ubuntu 22.04 server with Plesk 18.0.63. Unfortunately, I am unable to do so. Hence, what I would suggest is if possible to open a ticket to our support team for an investigation. To sign-in to support and open a ticket go to:

• https://support.plesk.com.

If you got your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative to get support directly from Plesk:

• https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk

 

[Kulturmensch]

Anything else?

 

[Kulturmensch]

After reinstallation of plesk-fali2ban no files are available in /etc/fail2ban . I am currently using the old version again but I cannot manage it using the plesk panel as the error appears as described above.

 

[Kaspar@Plesk]

I see that you've contact our support team and that they have been able to resolve the issue for you. Is that correct?

 

[Kulturmensch]

Thank you for your attention but I didn't contact your support. Instead I switched back to the old version of fail2ban, as the re-installation (plesk installer --select-release-current --install-component fail2ban) did not work as expected. I.e. only the directory /etc/fail2ban had been created but without containing files.

However falling back to the previous configuration did not help from the scratch, because I got the following error when trying to open the Plesk fail2ban-panel:

f2bmng failed: ERROR:__main__:No section: 'plesk-permanent-ban'

To get rid of this error required to add the following section to jail.local

[plesk-permanent-ban]
enabled = false

This helped but led to the next error of the same category:

f2bmng failed: ERROR:__main__:No section: 'plesk-one-week-ban'

So, I solved this error the same way and added the following section to jail.local:

[plesk-one-week-ban]
enabled = false

Well, now I can open the Plesk-UI again showing the following:




I had to add useless jails to get it work. Well, it is not entirely satisfying but worked at the end. Maybe this approach helps at least others.

If you could manage to get a fully operational installation procedure using the command:

plesk installer --select-release-current --install-component fail2ban

it would be highly desirable!

 

[globalmcs]

I experienced the same issue, I tried backing up the fail2ban configuration, removed it, re-installed and copy the config file back and now I can access all the tabs under "IP Address Banning (Fail2Ban)" except the "Banned IP Addresses". one I get the following error (see print screen)

Ubuntu 22.04.4 LTS
Plesk Obsidian 18.0.63 Update 1

I also lost all the Trusted IPs I had before the uninstall/reinstall. Any ideas how to restore the list of Trusted IPs Addresses?

 

[Kulturmensch]

I experienced the same issue, I tried backing up the fail2ban configuration, removed it, re-installed and copy the config file back and now I can access all the tabs under "IP Address Banning (Fail2Ban)" except the "Banned IP Addresses". one I get the following error (see print screen)

Ubuntu 22.04.4 LTS
Plesk Obsidian 18.0.63 Update 1

I also lost all the Trusted IPs I had before the uninstall/reinstall. Any ideas how to restore the list of Trusted IPs Addresses?

View attachment 26846

To get access again you could try to add this to your jail.local:

[plesk-one-week-ban]
enabled = false

Probably you will get then another error, what you can solve in a similar way by adding

[plesk-permanent-ban]
enabled = false

(Do not forget to restart fail2ban after modifying the jail.local)

@plesk However, also this works for me I still wait for a reply from plesk experts what these entries imply and what are the right action and filter entries for these?

 

[Oper]

I think the packages are poorly prepared, the files refer to non-existent things, previously it was recidive, now it is changed to permanent ban and weekly ban.

 

[Petje]

I experienced the exact same issue on a Ubuntu 20.04 server. I rolled back the update to Plesk Obsidian v18.0.62_build1800240724.11.

 

[Oper]

just out of my head, untested hint:

cd /etc/fail2ban/filter.d/
cp recidive.conf plesk-one-week-ban.conf
cp recidive.conf plesk-permanent-ban.conf

 

[Sebahat.hadzhi]

Everyone, thank you for reporting the error and bringing that up to our attention. Our team confirmed that when a user has customized

/etc/fail2ban/jail.d/plesk.conf

upgraded fail2ban package’s configuration is not written on it, resulting in missing config lines like

plesk-one-week-ban

The bug ID is PPP-66006 and a hotfix will be released in one of the upcoming updates. The workaround we can suggest for the time being is:

1. Connect to your server via SSH
2. With your favorite editor open /etc/fail2ban/jail.d/plesk.conf and add the following configuration to the bottom of the file.

# Jail for manual permanent banning
[plesk-permanent-ban]

action   = iptables-allports[name="plesk-permanent-ban"]
filter   = plesk-manual
bantime  = -1
maxretry = 1
enabled  = true

# Jail for manual one week banning
[plesk-one-week-ban]

action   = iptables-allports[name="plesk-one-week-ban"]
filter   = plesk-manual
bantime  = 1w
maxretry = 1
enabled  = true

Please let us know if that worked for you.

 

[Kaspar@Plesk]

I think the packages are poorly prepared, the files refer to non-existent things, previously it was recidive, now it is changed to permanent ban and weekly ban.

I want to address this because it seems there is some confusion. The recidive jail (and filter) have not been replaced or changed.

Two new jails have been introduced; the plesk-one-week-ban and plesk-permanent-ban . Which are used for manual IP banning from the GUI. As @Sebahat.hadzhi already explained, there is currently is an issue with these two jails missing when previously there where any modifications made to any of the already existing jails. We're working on resolving this issue.

 

[Kulturmensch]

Everyone, thank you for reporting the error and bringing that up to our attention. Our team confirmed that when a user has customized


upgraded fail2ban package’s configuration is not written on it, resulting in missing config lines like


The bug ID is PPP-66006 and a hotfix will be released in one of the upcoming updates. At the time being, there is no confirmed workaround we can offer. A possible workaround might be to replace the old configuration with the new file: plesk-one-week-ban

1. Check if you will be able to locate in which file the manual rule is stored:
   
   It should be something similar to:
2. Add it into the "/etc/fail2ban/jail.d/plesk.conf" file.
3. Restart fail2ban: systemctl restart fail2ban

Please let us know if that worked for you.

Thank you for this hint. In my case grep -R plesk-one-week-ban /etc/fail2ban/ does not bring up something except my own and new modifications to get fail2ban work.

In addition I do not find a filter called plesk-manual.conf Could you please also provide the content of this filter, too? Then I can do the rest.

 

[Kulturmensch]

The bug ID is PPP-66006 and a hotfix will be released in one of the upcoming updates.

To give the developers an additional input. I suppose, that in my case the following influenced the upgrade. On an earlier stage I used modsecurity. During the installation also a modsecurity jail was added to plesk.conf. Due to some reasons I had to remove modsecurity but the jail of fail2ban still remained. I am not entirely sure but maybe this is also one reason that the upgrade of fail2ban to the present plesk version failed.

 

[Kaspar@Plesk]

Thank you for this hint. In my case grep -R plesk-one-week-ban /etc/fail2ban/ does not bring up something except my own and new modifications to get fail2ban work.

See our updated workaround in the previous post.

In addition I do not find a filter called plesk-manual.conf Could you please also provide the content of this filter, too? Then I can do the rest.

# Fail2Ban filter for manual banning

[Definition]
failregex =
ignoreregex =

 

[globalmcs]

Everyone, thank you for reporting the error and bringing that up to our attention. Our team confirmed that when a user has customized


upgraded fail2ban package’s configuration is not written on it, resulting in missing config lines like


The bug ID is PPP-66006 and a hotfix will be released in one of the upcoming updates. The workaround we can suggest for the time being is:

1. Connect to your server via SSH
2. With your favorite editor open /etc/fail2ban/jail.d/plesk.conf and add the following configuration to the bottom of the file.

# Jail for manual permanent banning
[plesk-permanent-ban]

action   = iptables-allports[name="plesk-permanent-ban"]
filter   = plesk-manual
bantime  = -1
maxretry = 1
enabled  = true

# Jail for manual one week banning
[plesk-one-week-ban]

action   = iptables-allports[name="plesk-one-week-ban"]
filter   = plesk-manual
bantime  = 1w
maxretry = 1
enabled  = true

Please let us know if that worked for you.

This worked for me, updated the file with the information provided, and I was able to access all the "Banned IP Addresses" tabs under "IP Address Banning".
Thank you for your help

 

[Bitpalast]

Everyone, thank you for reporting the error and bringing that up to our attention. Our team confirmed that when a user has customized


upgraded fail2ban package’s configuration is not written on it, resulting in missing config lines like


The bug ID is PPP-66006 and a hotfix will be released in one of the upcoming updates. The workaround we can suggest for the time being is:

1. Connect to your server via SSH
2. With your favorite editor open /etc/fail2ban/jail.d/plesk.conf and add the following configuration to the bottom of the file.

# Jail for manual permanent banning
[plesk-permanent-ban]

action   = iptables-allports[name="plesk-permanent-ban"]
filter   = plesk-manual
bantime  = -1
maxretry = 1
enabled  = true

# Jail for manual one week banning
[plesk-one-week-ban]

action   = iptables-allports[name="plesk-one-week-ban"]
filter   = plesk-manual
bantime  = 1w
maxretry = 1
enabled  = true

Please let us know if that worked for you.

Yes it works.

However, I am sure that the plesk.conf file on my installation where it failed was an authentic file that was not previously modified by us here, yet it seems that it was not updated automatically upon Plesk upgrade to 18.0.63.

 

[Kulturmensch]

Now everything works fine also the manual banning feature! Thank you for your help!

 

[Kulturmensch]

The Plesk Obsidian 18.0.63 Update #3 tonight did not help. Trying to configure fail2ban through plesk UI led again to error 500 together with the message:
[plesk-one-week-ban] would be missing.

To solve this error I added to the new jail.local the following entries where [XXX] stands for you individual configuration:

[plesk-one-week-ban]
enabled = true
action = iptables-allports[name="plesk-one-week-ban"]
sendmail[mailcmd='/usr/sbin/sendmail -f "<sender>" "<dest>"', dest="[XXX]", sender="fail2ban", sendername="Fail2Ban-at-[XXX]", name="plesk-one-week-ban"]
filter = plesk-manual
bantime = 1w
maxretry = 1

[plesk-permanent-ban]
enabled = true
action = iptables-allports[name="plesk-permanent-ban"]
sendmail[mailcmd='/usr/sbin/sendmail -f "<sender>" "<dest>"', dest="[email protected]", sender="fail2ban", sendername="Fail2Ban-at-Fotoarchiv_Tenckhoff", name="plesk-permanent-ban"]
filter = plesk-manual
bantime = -1
maxretry = 1

However, the update Plesk Obsidian 18.0.63 Update #3 provided a new configuration directory /etc/fail2ban including a new file jail.local where the two plesk-jails "plesk-one-week-ban" and "plesk-permanent-ban" are still missing.

I suggest to dive again into this bug and simply provide these two jails as entries also for a final solution.