• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Fail2ban bans users accessing websites

F

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
Version 18.0.49 Update #2
Hi.
I have a problem with fail2ban.
The fail2ban log shows this message and is banning users:
2023-01-28 18:28:48,000 fail2ban.filter [252]: ERROR No group found in 'XXX.XXX.19.241 - - [] "GET /system/themes/flexible/icons/error_401.svg HTTP/1.0" 200 1038 "https://XXXX/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
Click to expand...

I don't know which filter is causing this and how to fix it.
Is there a way to update the standard-filters in plesk?

Fail2ban Version: fail2ban 1:0.11.2-v.ubuntu.18.04+p18.0.50.0+t221221.1529
 
Hi Peter, thank you for the quick reply.
I just see several entries like the one I posted.
ModSecurity is running in recognition mode so maybe the logs are connected to that. However the modsecurity jail is off
 
For this case I can only explain some basic behind the error message. The "no group found" is related to a failed regular expression evaluation. This can be caused by a wrong regex in a fail2ban jail definition or a proper host entry is missing from the logs that are being analyzed. I think the correct approach to further tackle the issue is to check whether custom jails have been defined and if their regex are good (e.g. by testing them with fail2ban-regex application) and also to verify that the log file format that is being used is a standard format that includes the host information. As all of that could have been customized there is no "standard solution" for the issue. It needs to be checked step-by-step on the server.
 
Hi Peter,

I haven't changed anything in the jails/filters, but the server is in use for years now. That's why I asked if there is a way to set the jails to todays plesk-standard like after a fresh install.
 
It should be possible to remove the Fail2Ban component through updates/upgrades, then remove remaining directory /etc/fail2ban manually (if it still exists), then reinstall the component. The other option is to simply copy (e.g. rsync) the /etc/fail2ban path fully from a default installation and only then search/replace the local IP address(es) in the jail.local file.
 
I am seeing the same issues on one of our servers. On that server Plesk was updated to 18.0.50 Update #2 after not being updated for 12 months or so.

@fliegerhermi Did you find a solution yet?
 
By the way this is our custom plesk-wordpress filter:
Bash: 
[Definition]
failregex = ^<HOST>.* "POST .*(wp-login.php|xmlrpc.php)([/\?#\\].*)? HTTP/.*" 200|401
ignoreregex =
 
You must log in or register to reply here.

Similar threads

J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
1K
Mark_NLD
M
M
Question Has my site been attacked?
Replies
8
Views
1K
Peter Debik
P
I
Question Fail2ban error
Replies
0
Views
794
Inma
I
W
Resolved Awstats error refused connetion
Replies
2
Views
1K
WiseWill
W
Aethem
Resolved Nginx error 403 -Css not load for admin url
Replies
11
Views
2K
Aethem
Aethem
Back
Top