• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Fail2Ban banning without any reason

J

julianchntl

New Pleskian
Server operating system version
Ubuntu 22.04.2 LTS
Plesk version and microupdate number
Obsidian 18.0.49
Hello all,

I have been using Plesk for a bit longer now. However, after moving to a new server I have quite severe problems with Fail2Ban. Website visitors are banned for no reason, including myself when I delete files in Nextcloud for example.

Have any of you ever had such a problem and how did you solve it?

Kind regards,
Julian
 
Please look into /var/log/fail2ban.log which jail is banning. I have a suspicion, but need that information first to narrow the cause down.
 
Peter Debik said:
Please look into /var/log/fail2ban.log which jail is banning. I have a suspicion, but need that information first to narrow the cause down.
Click to expand...
It‘s the plesk-recidive jail. It‘s also reproducable, after reloading a website for 3 times the ip is getting banned.
 
There is no plesk-recidive jail. I guess you meant the recidive jail, which is the jail where an IP address ends up when it was banned too many times in the other jails.

Please recheck the IP address in /var/log/fail2ban.log and see what happened before it was moved to the recidive jail. I guess that it's the plesk-modsecurity jail that causes this issue.
 
I also think it's ModSecurity. I've had this on servers here and ended up deactivating that jail (leaving ModSecurity on, of course).
 
Yes, you are right. I mixed up something, it is the plesk-modsecurity jail. Is there a solution for this or can I disable it without worrying?
 
You can either disable the plesk-modsecurity jail or try to find out which ModSecurity rules are causing this issue. Be aware that this can be a lot of work if you have a busy server:


Search for the ID tags (each ModSecurity rule has an ID number) in /var/log/modsec_audit.log that trigger the plesk-modsecurity jail.
Those IDs look like this: [id "33340006"].
If that ID is causing the issue, disable it, as explained in the support article in the link above.
 
You must log in or register to reply here.

Similar threads

J
Issue Default plesk-wordpress fail2ban doesn't work
Replies
6
Views
718
Peter Debik
P
P
Issue Moved to Plesk but now PHP $_Post won't work
Replies
2
Views
353
Pompeiivnx
P
A
Question Some security questions
Replies
2
Views
589
amba1980
A
X
Resolved everything stops when I use wordpress
Replies
4
Views
522
Xenesy
X
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
2K
The 8th
The 8th
Back
Top