Question Fail2Ban and Plesk number of domains limitation?

[gbotica]

Hi,

I've noticed recently that this message appears on the Fail2Ban Jails page:

Warning: Fail2Ban might not operate properly if there are many domains and Fail2Ban has to monitor too many log files.

This rather obscure message raises a couple of questions:

1. What does "might not operate properly" mean?
2. How many log files in "too many"?
3. Is this message triggered when there are a certain number of domains installed on Plesk, or is the message just always displayed?

Basically, how many domains can we expect to run on Plesk before Fail2Ban starts failing?

Thanks for your help.

Linux CentOS 7.4 + Plesk Onyx

 

[Brujo]

This is an generic message and a warning to check your System accordingly what you enable in fail2ban. How many domains do you have on this server and what are the specs of it...

 

[gbotica]

@Brujo Thanks for your reply. Sorry, I should have said: I have about 120 domains. 8GB RAM, 4x vCPU

 

[Bitpalast]

120 domains = no problem.

Edit: But watch out that your log files do not get very large. For example rotate log files at 10 MB, not at 1 GB.

 

[MarkM]

It will start failing when it has to monitor a lot of log files and at that point you will want to disable any jail processing a large number of logs .

 

[gbotica]

120 domains = no problem.

Edit: But watch out that your log files do not get very large. For example rotate log files at 10 MB, not at 1 GB.

Thanks for the comment. Logs are rotated daily, so they never get that large.

 

[ecv7]

Hi @Peter Debik

¿What about if I have 402 domains?

Since severals weeks ago, we have started to detect user ban issues, but we don't know if the problem may come from the fail2ban warning. How many are too many domains?

If that is indeed the problem, what technical solution can we adopt?

Thanks!
--Kike

 

[Bitpalast]

402 domains = generally no problem, BUT: For fail2ban this is probably too much for single log files.
Instead, you need to split your jails up into separate logs, e.g. one for all the domain names starting with the letter "a", a second for all domains starting with "b", a third for all domains starting with "c" etc ... After splitting, disable the general error_log and access_log jails so that Fail2Ban does not try to read these log files. Let it only read the separate smaller log portions.

For example (Apache jail):

[plesk-apache-a]
destemail =
ignoreip = 127.0.0.1/8 <your public ipv4 here>
usedns = no
logpath = /var/www/vhosts/system/a*/logs/error_log
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
backend = auto

[plesk-apache-b]
destemail =
ignoreip = 127.0.0.1/8 <your public ipv4 here>
usedns = no
logpath = /var/www/vhosts/system/b*/logs/error_log
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
backend = auto

...

Do the same for all letters and the Apache, the Apache bad bot and the Wordpress jails. All the jails that read web server log files must be split into smaller portions, preferrably by alphabet. This way you can have a very large number of domains on your system and still have Fail2Ban process all without any trouble.

 

[ecv7]

Thanks for that clarifying answer @Peter Debik

To begin with, our support has proceeded with disabling jail-wordpress and jail-modsecurity.

We have not really found in the logs any trace that refers to ERRORS. We have simply detected that many users have recently entered a banned state and we do not know why.

Do you think that the measure adopted to disable these two modules compromises us a lot?

 

[Bitpalast]

The ModSecurity jail does not necessarily need to be in place, because it is a second level jail for frequent blocks by ModSecurity. The Wordpress jail is an absolute necessity. It should always remain on, however, with many domains it should be split into parts as described above.