• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Fail2ban bans users accessing websites

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
Version 18.0.49 Update #2
Hi.
I have a problem with fail2ban.
The fail2ban log shows this message and is banning users:
2023-01-28 18:28:48,000 fail2ban.filter [252]: ERROR No group found in 'XXX.XXX.19.241 - - [] "GET /system/themes/flexible/icons/error_401.svg HTTP/1.0" 200 1038 "https://XXXX/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"

I don't know which filter is causing this and how to fix it.
Is there a way to update the standard-filters in plesk?

Fail2ban Version: fail2ban 1:0.11.2-v.ubuntu.18.04+p18.0.50.0+t221221.1529
 
Hi Peter, thank you for the quick reply.
I just see several entries like the one I posted.
ModSecurity is running in recognition mode so maybe the logs are connected to that. However the modsecurity jail is off
 
For this case I can only explain some basic behind the error message. The "no group found" is related to a failed regular expression evaluation. This can be caused by a wrong regex in a fail2ban jail definition or a proper host entry is missing from the logs that are being analyzed. I think the correct approach to further tackle the issue is to check whether custom jails have been defined and if their regex are good (e.g. by testing them with fail2ban-regex application) and also to verify that the log file format that is being used is a standard format that includes the host information. As all of that could have been customized there is no "standard solution" for the issue. It needs to be checked step-by-step on the server.
 
Hi Peter,

I haven't changed anything in the jails/filters, but the server is in use for years now. That's why I asked if there is a way to set the jails to todays plesk-standard like after a fresh install.
 
It should be possible to remove the Fail2Ban component through updates/upgrades, then remove remaining directory /etc/fail2ban manually (if it still exists), then reinstall the component. The other option is to simply copy (e.g. rsync) the /etc/fail2ban path fully from a default installation and only then search/replace the local IP address(es) in the jail.local file.
 
I am seeing the same issues on one of our servers. On that server Plesk was updated to 18.0.50 Update #2 after not being updated for 12 months or so.

@fliegerhermi Did you find a solution yet?
 
By the way this is our custom plesk-wordpress filter:
Bash:
[Definition]
failregex = ^<HOST>.* "POST .*(wp-login.php|xmlrpc.php)([/\?#\\].*)? HTTP/.*" 200|401
ignoreregex =
 
Back
Top