Resolved Fail2Ban bans me(admin) way too often.

[Korkodilos_]

Using plesk on a VPS to manage client websites and I'm finding myself locked out quite often as a result of banning my IP and sending it to the recidive jail.

It's not a huge issue, as i can bypass with mobile data or VPN, and I like the way that the server is secure, but everytime it happens I get a heart attack as clients websites and plesk portal isn't loading from my IP. Why is this happening? (3-4 times a week) and what can I do to make the ban softer but not compromice the server security?

ty.

 

[Martin Dias]

Check the fail2ban log to see what jail is banning you, then check the log related to that jail to see what you are triggering

 

[bulent]

add your ip to f2b whitelist

 

[Martin Dias]

add your ip to f2b whitelist

As the IP may change often depending on the ISP, it makes more sense checking why it is getting banned, to then avoid it then to always go and whitelist a new IP :/

 

[trialotto]

Using plesk on a VPS to manage client websites and I'm finding myself locked out quite often as a result of banning my IP and sending it to the recidive jail.

It's not a huge issue, as i can bypass with mobile data or VPN, and I like the way that the server is secure, but everytime it happens I get a heart attack as clients websites and plesk portal isn't loading from my IP. Why is this happening? (3-4 times a week) and what can I do to make the ban softer but not compromice the server security?

ty.

@Korkodilos_

I just saw that @Arashi already gave you some good advice, please check that out.

However, I want to mention the following - you should be able to have Fail2Ban whitelist one specific and static IP.

In my humble opinion, it is not good practice to allow the sysadmin (read: you) to access the system with multiple IPs.

In essence, it really is not reassuring that you can enter the system via mobile or VPN - if you can, so can attackers!

In short, I would highly recommend to use one static IP and just whitelist the (sysadmin) IP, instead of creating a solution that allows many IP addresses to access the server as an user, a Plesk admin or even a sysadmin.

Hope the above helps a bit.

Kind regards......

PS I think that @Arashi is trying to say that you should look for common log entries when being blocked by Fail2Ban and use those common entries to create a solution that allows you to log in with different IPs (and not getting locked out). This is can be a good idea, but it will also allow any attacker "space" to enter the server, since the access policy is not that strict. It is often a better idea to minimize the points of access for an admin - hence the static IP : one accesspoint!

 

[Korkodilos_]

I understand the security issue with using multiple IPs to log in, but as this is my first steps in self managing, I'm quite affraid of locking myself out. How would you proceed in doing so? Renting another vps and use it as personal VPN?

As for the subject of matter now,

Checked thefail2ban logs, I'm seeing postfix and dovecot related. Both seem mail related, not sure what the cause could be. Any ideas?

2020-05-24 14:12:17,937 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:17
2020-05-24 14:12:18,178 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:18
2020-05-24 14:12:18,862 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:18
2020-05-24 14:12:19,255 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:19
2020-05-24 14:12:19,901 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:19
2020-05-24 14:12:20,256 fail2ban.actions [2605]: NOTICE [plesk-postfix] Ban 94.66.xxx.xxx
2020-05-24 14:12:20,267 fail2ban.filter [2605]: INFO [recidive] Found 94.66.xxx.xxx - 2020-05-24 14:12:20

 

[Martin Dias]

I understand the security issue with using multiple IPs to log in, but as this is my first steps in self managing, I'm quite affraid of locking myself out. How would you proceed in doing so? Renting another vps and use it as personal VPN?

I personally got a small VM at AWS that I use as a VPN to then connect over SSH and Plesk GUI over that IP only.
So basically SSH and Admin over GUI only work from that IP and the Office IP(as in my case the office also has a fixed IP)

Checked thefail2ban logs, I'm seeing postfix and dovecot related. Both seem mail related, not sure what the cause could be. Any ideas?

I would suspect that one of the mail accounts you have is configured on some device with an old password.
Check the /var/log/maillog to see what account is affected.

 

[trialotto]

I understand the security issue with using multiple IPs to log in, but as this is my first steps in self managing, I'm quite affraid of locking myself out. How would you proceed in doing so? Renting another vps and use it as personal VPN?

As for the subject of matter now,

Checked thefail2ban logs, I'm seeing postfix and dovecot related. Both seem mail related, not sure what the cause could be. Any ideas?

2020-05-24 14:12:17,937 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:17
2020-05-24 14:12:18,178 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:18
2020-05-24 14:12:18,862 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:18
2020-05-24 14:12:19,255 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:19
2020-05-24 14:12:19,901 fail2ban.filter [2605]: INFO [plesk-postfix] Found 94.66.xxx.xxx - 2020-05-24 14:12:19
2020-05-24 14:12:20,256 fail2ban.actions [2605]: NOTICE [plesk-postfix] Ban 94.66.xxx.xxx
2020-05-24 14:12:20,267 fail2ban.filter [2605]: INFO [recidive] Found 94.66.xxx.xxx - 2020-05-24 14:12:20

@Korkodilos_

I think that @Arashi is pointing you to the right direction : a connection originating from a (bad) "old style" mail client.

At least, that might be one of the most feasible explanations for the log entries in fail2ban.log - nevertheless, you should check /var/log/maillog too!

A bit of explanation might help here : why can "old style" mail clients result in IPs being blocked by Fail2Ban?

Well, mail clients like Outlook and those on Apple devices are essentially badly configured - they attempt to connect continuously, without closing connections.

If you had a device running on some IP and that device has a mail client connected to the mail server, then you will see lots of entries in /var/log/maillog.

And, since some "old style" mail clients essentially do not close connections, the mail client on the before mentioned device will cause new log entries over and over again, with those log entries containing an IP that you might not even use anymore.

Fail2Ban is triggered by the many occurrences of the one and specific IP in both /var/log/fail2ban.log and /var/log/maillog.

However, from your log entries it is clear that the plesk-postfix jail is not blocking your IP - this jail is only identifying the IP!

The recidive jail is blocking your IP - due to the many (read: 5) occurrences of the 94.66.xxx.xxx IP.

In the case that you want to allow traffic originating from the 94.66.xxx.xxx IP, you can safely consider to disable the recidive jail.

You can "consider" it, but I would not recommend it.

After all, it seems to be the case that you have a default Fail2Ban setup, as shipped with Plesk - this is not bad, but also not good either.

The above becomes immediately clear when considering the case below.

In the case that you do not want to allow traffic originating from the 94.66.xxx.xxx IP anymore, then there is this issue with a wrong setup : if the 94.66.xxx.xxx IP should be blocked, then plesk-postfix jail should be blocking it, not the recidive jail.

In short, if you want to block the 94.66.xxx.xxx IP, then reconfigure the plesk-postfix jail and/or add a custom Fail2Ban jail or Fail2Ban filter.

Please note that the odd behaviour of "old style" mail clients can help you here : it often is sufficient to renew the SSL certificate for the mail server for the one and specific domain that causes the log entries in /var/log/fail2ban.log and/or /var/log/maillog, since most of the "old style" mail clients stop connecting to the server if the certificates are renewed.

The above should be viewed as a dirty work-around that enables you to keep the recidive jail intact - which is to be preferred, by the way.

Otherwise, if you do not want to block the 94.66.xxx.xxx IP, you can simply disable (but not remove) the recidive jail or, even better, reconfigure Fail2Ban and change some jails and filters.

In my humble opinion, it is highly recommended that you keep things simple - use a static IP and whitelist this one IP.

In addition, it is highly recommended to improve the Fail2Ban configuration, if you still use the default Fail2Ban config as shipped with Plesk.

Hope the above helps a bit.

Kind regards..........

 

[tylerderden]

That was great, explained very clearly while using the normal internet there is a risk of data leakage as in the present time hackers are very smart... I often recommend read this review before connection.