Issue Fail2ban banning the servers IP due to incorrect IP in apache logs

[Dave W]

Server operating system version

CentOS 7.9.2009 x86_64

Plesk version and microupdate number

Plesk Obsidian 18.0.50.2

Greetz,

Running the apache-badbots filter in f2b. Its configured by default to scan

/var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log

It banned the servers own IP today.

Found the issue on /var/log/httpd/access_log

Checked the logs and found on /var/log/nginx/access.log;

170.64.160.98 - - [23/Mar/2023:17:55:58 +0000] "GET /ab2g HTTP/1.1" 404 189 "-" "Mozilla/5.0 zgrab/0.x"
170.64.160.98 - - [23/Mar/2023:17:55:59 +0000] "GET /ab2h HTTP/1.1" 404 188 "-" "Mozilla/5.0 zgrab/0.x"

Checked httpd /var/log/httpd/access_log and get;

/var/log/httpd/access_log:<SERVER_IP> - - [23/Mar/2023:17:55:58 +0000] "GET /ab2g HTTP/1.0" 404 202 "-" "Mozilla/5.0 zgrab/0.x"
/var/log/httpd/access_log:<SERVER_IP> - - [23/Mar/2023:17:55:59 +0000] "GET /ab2h HTTP/1.0" 404 202 "-" "Mozilla/5.0 zgrab/0.x"

Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?

 

[Peter Debik]

You can freely configure all jails. Jails parameters are read from the files in /etc/fail2ban, not from database. You can also add an extra "ignoreip" line to the /etc/fail2ban/jail.local entry of the bad bot jail, e.g.

[plesk-apache-badbot]
ignoreip = <SERVER_IP>
enabled = true

After changes to jails or jail local either re-read the jail into Fail2Ban (fail2ban-client reload plesk-apache-badbot) or restart fail2ban (service fail2ban restart).

 

[Dave W]

I know how to configure f2b...
Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?

 

[Peter Debik]

This is something yet to be added to Plesk. You can vote for it here:

Add Nginx Jails to Fail2Ban

Plesk has - praise be - increasingly better supported Nginx, now with the option to use only Nginx, which is great. That being so, now we need the next logical step: The Fail2Ban Jails for Apache are available, but will have no effect, as Apache is not used at all any more. So we need some...

plesk.uservoice.com

 

[Dave W]

Shouldn't have to vote for something thats misconfigured by default.

 

[Peter Debik]

I cannot reproduce the issue here. On a default Plesk installation, your local server IP is whitelisted in Fail2Ban, so it cannot be blocked. If the server is older than when Plesk introduced this, it is necessary to manually whitelist it. I have some servers from the year 2015 here where I had to do that, but then again, localhost is never banned.

For Nginx rules: I too think, that there should be rules for Nginx, because it would be more effective to block traffic right there before it gets forwarded to Apache. But again: It's a frequently requested feature and some day this will also come.

 

[abashurov]

Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?

We do pass client's IP address in proxied request in X-Forwarded-For header. Note that logging this IP address depends on Apache modules and logging configuration, so I'd recommend checking the following:

• That Apache reports mod_remoteip and log_config_module to be enabled in httpd -M | grep log_config\\\|remoteip
• That mod_remoteip is configured properly (RemoteIPHeader X-Forwarded-For): grep -r RemoteIPHeader /etc/httpd/