• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved fail2ban and plesk-proftpd jail

gennolo

gennolo

Basic Pleskian
Hi all,

I have enabled fail2ban with basic Plesk settings , including "plesk-proftpd" jail.

According to the jail rule :
Code: 
[plesk-proftpd]
enabled = true
filter = proftpd
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
logpath = /var/log/secure
maxretry = 5

It should ban IP address when they try 5+ times to login on FTP port with wrong credentials.

However, every morning I find in my secure log those kind of recods :

Code: 
Aug  9 15:37:56 hostname proftpd[76927]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER anonymous: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:04 hostname proftpd[76966]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:14 hostname proftpd[77005]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:16 hostname proftpd[77014]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:19 hostname proftpd[77026]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:20 hostname proftpd[77031]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:23 hostname proftpd[77042]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:24 hostname proftpd[77055]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:27 hostname proftpd[77058]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:28 hostname proftpd[77069]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:30 hostname proftpd[77076]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:33 hostname proftpd[77085]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:35 hostname proftpd[77089]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:36 hostname proftpd[77099]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:38 hostname proftpd[77104]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:40 hostname proftpd[77107]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:53 hostname proftpd[77153]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:57 hostname proftpd[77179]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:09 hostname proftpd[77238]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:11 hostname proftpd[77246]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:13 hostname proftpd[77253]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:15 hostname proftpd[77259]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:18 hostname proftpd[77271]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:20 hostname proftpd[77276]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:32 hostname proftpd[77320]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:33 hostname proftpd[77325]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21

As you can see there are more than 5 attempt in a short range of time...
The "attacker" IP is always the same, so I guess there's something that prevent the rule to be applied.

Maybe the rule is bypassed if the login is tried to a non-existant user ?

If so, how can I add that kind of rule ?

FYI - fail2ban is running properly because other jails works fine (like the "recidive" or the "apache") as I am able to see some IPs gets banned daily.

Thank you in advance.
 
Hi gennolo,

if you need help with Fail2Ban or/and it's configuration, pls. consider to add the used FILTER ( not the jail - name! ) and post the content of the used filter. Pls. add as well your fail2ban.log, so that possible issues can be investigated.

At the moment,, people willing to help you can only guess, which is too time-consuming, because it might not at all suit your configuration and/or possible issues/problems/misconfigurations.
 
Hello,
I have not provided the filter because, as explained,
it is the default one that comes with Plesk named "plesk-proftpd".

Here is the filter :

Code: 
[plesk-proftpd]
enabled = true
filter = proftpd
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
logpath = /var/log/secure
maxretry = 5

Here is what happening on fail2ban.log when a malicious IP tries more than 5 FTP login attempts :


Code: 
2016-08-24 10:26:33,875 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:35,939 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:38,994 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:43,020 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:45,027 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:45,303 fail2ban.actions        [1934]: NOTICE  [plesk-proftpd] Ban attacker.ip.address
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stdout: ''
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stderr: ''
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- returned 1
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- stdout: ''
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-plesk-proftpd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- returned 1
2016-08-24 10:26:45,519 fail2ban.actions        [1934]: ERROR   Failed to execute ban jail 'plesk-proftpd' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x11db488>, 'matches': u'Aug 24 10:26:32 vps173 proftpd[53062]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER anonymous: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:35 vps173 proftpd[53070]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER www: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:37 vps173 proftpd[53093]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER wrs: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:41 vps173 proftpd[53106]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER wrs: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:44 vps173 proftpd[53120]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER www: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21', 'ip': 'attacker.ip.address', 'ipmatches': <function <lambda> at 0x11dba28>, 'ipfailures': <function <lambda> at 0x11db500>, 'time': 1472027205.303508, 'failures': 5, 'ipjailfailures': <function <lambda> at 0x11db668>})': Error stopping action
2016-08-24 10:26:49,126 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:55,189 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:01,321 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:04,340 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:08,349 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:08,600 fail2ban.actions        [1934]: NOTICE  [plesk-proftpd] attacker.ip.address already banned

It looks like there is an issue in applying the ban, but when the attacked IP is found again fail2ban consider it as already banned.
Note that obviously I can't find any "proftpd" banned IP in the jail lists in Plesk interface.

(FYI - My server configuration is pretty common... Centos 7.2 box with Plesk 12.5 last microupdate...)

Any suggestion ?

Thank you.
 
Hi gennolo,

I would like to point you to the following facts:
gennolo said:
Couldn't load target `f2b-plesk-proftpd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
Click to expand...
As you can see, Fail2Ban did not create the depending chain for whatever reason and therefore the possible IP - ban isn't added to the corresponding iptables - chain. It should help to restart Fail2Ban ... during this process, all Fail2Ban chains are being deleted and re-set. Pls. consider to inspect your log for possible issues during a Fail2Ban restart.


Second, pls. be informed, that if Fail2Ban doesn't interpret it's own error - messages, so if a returning intruder appears again in the corresponding log - file, which should be monitored according to the used filter and it's configuration, then Fail2Ban compairs it with it's previous "banned" IP from it's log - file and if found, it will not try to ban the IP again, untill it finds in its logs, that the IP has been "unbanned".
 
Hi there,

I am running Plesk 11.5 my self but i cannot view failed ftp logins in the secure log. Do i need to enable failed ftp logins some where?

Running tail -f /var/log/secure and trying do login with a fake username and password is not logged in secure
 
You must log in or register to reply here.

Similar threads

kristobal1969
Resolved Impossible to update ubuntu 22.04.5 LTS after installation of plesk 18.0.64 #1 error mail message 404 on online.net server (dedibox from scaleway) FR
Replies
1
Views
146
kristobal1969
kristobal1969
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
1K
Bitpalast
Bitpalast
M
Question Upgrade MariaDB 10.3 to 10.11 via Plesk 18.0.61 on Debian 10
Replies
1
Views
601
Kaspar@Plesk
Kaspar@Plesk
E
fail2ban: plesk-wordpress jail is to restrictive
Replies
1
Views
6K
Kaspar@Plesk
Kaspar@Plesk
J
Issue Default plesk-apache-badbot fail2ban doesn't work
2
Replies
21
Views
4K
Kaspar
K
Back
Top