• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Fail2ban bans users accessing websites

F

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
Version 18.0.49 Update #2
Hi.
I have a problem with fail2ban.
The fail2ban log shows this message and is banning users:
2023-01-28 18:28:48,000 fail2ban.filter [252]: ERROR No group found in 'XXX.XXX.19.241 - - [] "GET /system/themes/flexible/icons/error_401.svg HTTP/1.0" 200 1038 "https://XXXX/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
Click to expand...

I don't know which filter is causing this and how to fix it.
Is there a way to update the standard-filters in plesk?

Fail2ban Version: fail2ban 1:0.11.2-v.ubuntu.18.04+p18.0.50.0+t221221.1529
 
Hi Peter, thank you for the quick reply.
I just see several entries like the one I posted.
ModSecurity is running in recognition mode so maybe the logs are connected to that. However the modsecurity jail is off
 
For this case I can only explain some basic behind the error message. The "no group found" is related to a failed regular expression evaluation. This can be caused by a wrong regex in a fail2ban jail definition or a proper host entry is missing from the logs that are being analyzed. I think the correct approach to further tackle the issue is to check whether custom jails have been defined and if their regex are good (e.g. by testing them with fail2ban-regex application) and also to verify that the log file format that is being used is a standard format that includes the host information. As all of that could have been customized there is no "standard solution" for the issue. It needs to be checked step-by-step on the server.
 
Hi Peter,

I haven't changed anything in the jails/filters, but the server is in use for years now. That's why I asked if there is a way to set the jails to todays plesk-standard like after a fresh install.
 
It should be possible to remove the Fail2Ban component through updates/upgrades, then remove remaining directory /etc/fail2ban manually (if it still exists), then reinstall the component. The other option is to simply copy (e.g. rsync) the /etc/fail2ban path fully from a default installation and only then search/replace the local IP address(es) in the jail.local file.
 
I am seeing the same issues on one of our servers. On that server Plesk was updated to 18.0.50 Update #2 after not being updated for 12 months or so.

@fliegerhermi Did you find a solution yet?
 
By the way this is our custom plesk-wordpress filter:
Bash: 
[Definition]
failregex = ^<HOST>.* "POST .*(wp-login.php|xmlrpc.php)([/\?#\\].*)? HTTP/.*" 200|401
ignoreregex =
 
You must log in or register to reply here.

Similar threads

S
Issue Filter for plesk-wordpress jail does not work, any ideas?
Replies
1
Views
321
AYamshanov
AYamshanov
J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
2K
Mark_NLD
M
M
Question Has my site been attacked?
Replies
8
Views
2K
Peter Debik
P
I
Question Fail2ban error
Replies
0
Views
963
Inma
I
W
Resolved Awstats error refused connetion
Replies
2
Views
2K
WiseWill
W
Back
Top