• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved fail2ban and plesk-proftpd jail

gennolo

gennolo

Basic Pleskian
Hi all,

I have enabled fail2ban with basic Plesk settings , including "plesk-proftpd" jail.

According to the jail rule :
Code: 
[plesk-proftpd]
enabled = true
filter = proftpd
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
logpath = /var/log/secure
maxretry = 5

It should ban IP address when they try 5+ times to login on FTP port with wrong credentials.

However, every morning I find in my secure log those kind of recods :

Code: 
Aug  9 15:37:56 hostname proftpd[76927]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER anonymous: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:04 hostname proftpd[76966]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:14 hostname proftpd[77005]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:16 hostname proftpd[77014]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:19 hostname proftpd[77026]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:20 hostname proftpd[77031]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:23 hostname proftpd[77042]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:24 hostname proftpd[77055]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:27 hostname proftpd[77058]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:28 hostname proftpd[77069]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:30 hostname proftpd[77076]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:33 hostname proftpd[77085]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:35 hostname proftpd[77089]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:36 hostname proftpd[77099]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:38 hostname proftpd[77104]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:40 hostname proftpd[77107]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:53 hostname proftpd[77153]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:38:57 hostname proftpd[77179]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:09 hostname proftpd[77238]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:11 hostname proftpd[77246]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:13 hostname proftpd[77253]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:15 hostname proftpd[77259]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:18 hostname proftpd[77271]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:20 hostname proftpd[77276]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:32 hostname proftpd[77320]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21
Aug  9 15:39:33 hostname proftpd[77325]: 127.0.0.1 (attacker.ip.here[attacker.ip.here]) - USER www: no such user found from attacker.ip.here [attacker.ip.here] to my.machine.ip.here:21

As you can see there are more than 5 attempt in a short range of time...
The "attacker" IP is always the same, so I guess there's something that prevent the rule to be applied.

Maybe the rule is bypassed if the login is tried to a non-existant user ?

If so, how can I add that kind of rule ?

FYI - fail2ban is running properly because other jails works fine (like the "recidive" or the "apache") as I am able to see some IPs gets banned daily.

Thank you in advance.
 
Hi gennolo,

if you need help with Fail2Ban or/and it's configuration, pls. consider to add the used FILTER ( not the jail - name! ) and post the content of the used filter. Pls. add as well your fail2ban.log, so that possible issues can be investigated.

At the moment,, people willing to help you can only guess, which is too time-consuming, because it might not at all suit your configuration and/or possible issues/problems/misconfigurations.
 
Hello,
I have not provided the filter because, as explained,
it is the default one that comes with Plesk named "plesk-proftpd".

Here is the filter :

Code: 
[plesk-proftpd]
enabled = true
filter = proftpd
action = iptables-multiport[name="plesk-proftpd", port="ftp,ftp-data,ftps,ftps-data"]
logpath = /var/log/secure
maxretry = 5

Here is what happening on fail2ban.log when a malicious IP tries more than 5 FTP login attempts :


Code: 
2016-08-24 10:26:33,875 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:35,939 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:38,994 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:43,020 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:45,027 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:45,303 fail2ban.actions        [1934]: NOTICE  [plesk-proftpd] Ban attacker.ip.address
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stdout: ''
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stderr: ''
2016-08-24 10:26:45,410 fail2ban.action         [1934]: ERROR   iptables -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- returned 1
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- stdout: ''
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-plesk-proftpd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2016-08-24 10:26:45,519 fail2ban.action         [1934]: ERROR   iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables -F f2b-plesk-proftpd
iptables -X f2b-plesk-proftpd -- returned 1
2016-08-24 10:26:45,519 fail2ban.actions        [1934]: ERROR   Failed to execute ban jail 'plesk-proftpd' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x11db488>, 'matches': u'Aug 24 10:26:32 vps173 proftpd[53062]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER anonymous: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:35 vps173 proftpd[53070]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER www: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:37 vps173 proftpd[53093]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER wrs: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:41 vps173 proftpd[53106]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER wrs: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21\nAug 24 10:26:44 vps173 proftpd[53120]: 127.0.0.1 (attacker.ip.address[attacker.ip.address]) - USER www: no such user found from attacker.ip.address [attacker.ip.address] to my.server.address:21', 'ip': 'attacker.ip.address', 'ipmatches': <function <lambda> at 0x11dba28>, 'ipfailures': <function <lambda> at 0x11db500>, 'time': 1472027205.303508, 'failures': 5, 'ipjailfailures': <function <lambda> at 0x11db668>})': Error stopping action
2016-08-24 10:26:49,126 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:26:55,189 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:01,321 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:04,340 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:08,349 fail2ban.filter         [1934]: INFO    [plesk-proftpd] Found attacker.ip.address
2016-08-24 10:27:08,600 fail2ban.actions        [1934]: NOTICE  [plesk-proftpd] attacker.ip.address already banned

It looks like there is an issue in applying the ban, but when the attacked IP is found again fail2ban consider it as already banned.
Note that obviously I can't find any "proftpd" banned IP in the jail lists in Plesk interface.

(FYI - My server configuration is pretty common... Centos 7.2 box with Plesk 12.5 last microupdate...)

Any suggestion ?

Thank you.
 
Hi gennolo,

I would like to point you to the following facts:
gennolo said:
Couldn't load target `f2b-plesk-proftpd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
Click to expand...
As you can see, Fail2Ban did not create the depending chain for whatever reason and therefore the possible IP - ban isn't added to the corresponding iptables - chain. It should help to restart Fail2Ban ... during this process, all Fail2Ban chains are being deleted and re-set. Pls. consider to inspect your log for possible issues during a Fail2Ban restart.


Second, pls. be informed, that if Fail2Ban doesn't interpret it's own error - messages, so if a returning intruder appears again in the corresponding log - file, which should be monitored according to the used filter and it's configuration, then Fail2Ban compairs it with it's previous "banned" IP from it's log - file and if found, it will not try to ban the IP again, untill it finds in its logs, that the IP has been "unbanned".
 
Hi there,

I am running Plesk 11.5 my self but i cannot view failed ftp logins in the secure log. Do i need to enable failed ftp logins some where?

Running tail -f /var/log/secure and trying do login with a fake username and password is not logged in secure
 
You must log in or register to reply here.

Similar threads

J
Issue Default plesk-apache-badbot fail2ban doesn't work
Replies
13
Views
480
Kaspar
K
H.W.B
Question Fail2ban with reverse DNS
Replies
1
Views
689
IgorG
IgorG
brother4
Input Plesk Fail2Ban: Integration for AbuseIPDB
Replies
2
Views
882
Kaspar
K
S
Question Firewall blocking plesk_saslauthd failed mail authentication attempt for user 'info' (password len=9)
Replies
3
Views
2K
mow
M
claxman
Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)
Replies
17
Views
2K
Hiljo_Lodewijk
H
Back
Top