• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Fail2ban banning the servers IP due to incorrect IP in apache logs

Dave W

Regular Pleskian
Server operating system version
CentOS 7.9.2009 x86_64
Plesk version and microupdate number
Plesk Obsidian 18.0.50.2
Greetz,

Running the apache-badbots filter in f2b. Its configured by default to scan
Code:
/var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log

It banned the servers own IP today.

Found the issue on /var/log/httpd/access_log

Checked the logs and found on /var/log/nginx/access.log;
Code:
170.64.160.98 - - [23/Mar/2023:17:55:58 +0000] "GET /ab2g HTTP/1.1" 404 189 "-" "Mozilla/5.0 zgrab/0.x"
170.64.160.98 - - [23/Mar/2023:17:55:59 +0000] "GET /ab2h HTTP/1.1" 404 188 "-" "Mozilla/5.0 zgrab/0.x"

Checked httpd /var/log/httpd/access_log and get;
Code:
/var/log/httpd/access_log:<SERVER_IP> - - [23/Mar/2023:17:55:58 +0000] "GET /ab2g HTTP/1.0" 404 202 "-" "Mozilla/5.0 zgrab/0.x"
/var/log/httpd/access_log:<SERVER_IP> - - [23/Mar/2023:17:55:59 +0000] "GET /ab2h HTTP/1.0" 404 202 "-" "Mozilla/5.0 zgrab/0.x"

Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?
 
You can freely configure all jails. Jails parameters are read from the files in /etc/fail2ban, not from database. You can also add an extra "ignoreip" line to the /etc/fail2ban/jail.local entry of the bad bot jail, e.g.
Code:
[plesk-apache-badbot]
ignoreip = <SERVER_IP>
enabled = true
After changes to jails or jail local either re-read the jail into Fail2Ban (fail2ban-client reload plesk-apache-badbot) or restart fail2ban (service fail2ban restart).
 
I know how to configure f2b...
Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?
 
This is something yet to be added to Plesk. You can vote for it here:
 
I cannot reproduce the issue here. On a default Plesk installation, your local server IP is whitelisted in Fail2Ban, so it cannot be blocked. If the server is older than when Plesk introduced this, it is necessary to manually whitelist it. I have some servers from the year 2015 here where I had to do that, but then again, localhost is never banned.

For Nginx rules: I too think, that there should be rules for Nginx, because it would be more effective to block traffic right there before it gets forwarded to Apache. But again: It's a frequently requested feature and some day this will also come.
 
Can we configure nginx to pass the client IP to httpd by default or change the apache-badbots jail to check /var/log/nginx/access.log instead?

We do pass client's IP address in proxied request in X-Forwarded-For header. Note that logging this IP address depends on Apache modules and logging configuration, so I'd recommend checking the following:
  • That Apache reports mod_remoteip and log_config_module to be enabled in httpd -M | grep log_config\\\|remoteip
  • That mod_remoteip is configured properly (RemoteIPHeader X-Forwarded-For): grep -r RemoteIPHeader /etc/httpd/
 
Back
Top