Resolved Fail2Ban false positives.

[daanse]

Hi,

i have a Problem, customers complaining about false positives.

Most of the Ips its recidive Jail..

Actually i have following Settings:

Fail2Ban 600 Seconds, 3 (default settings)
Mod Security Atomic with active F2B. (set it to balanced)
Plesk 12.5

Do we need some more Informations?
I think mainly its also through Mail Services.
So customer tries some conenections (Settings) and they dont work and bum - got banned.

 

[UFHH01]

Hi daanse,

pls. be informed, that "guessing" is never a good work-around to investigate issues/problems/failures.

You don't provide informations about the initial jail, where customers got banned. The recidive - jail will only ban IPs, which already have been banned. Pls. either post your Fail2Ban.log, or investigate for yourself, what the initial jail was.
After you investigated the initial jail, consider to post your depending filter for that jail, so people willing to help you know, what regex has been used.
It is as well a goog idea to post the log - file ( or corresponding log - entries ), which is used to ban IPs, based on the investigated jail.


For your information, I post the general Plesk knowledge - base article, where logs and configuration - files can be found, when you use Plesk:

Plesk for Linux services logs and configuration files ( KB - article: 111 283 )​

 

[daanse]

Yes.

This Time, same Customer complains it was "plesk-apache" Jail.
with following Settings:

[plesk-apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/apache2/*error.log
maxretry = 6

the recidive has following Settings:

[recidive]
enabled = true
filter = recidive
action = iptables-allports[name=recidive]
logpath = /var/log/fail2ban.log
maxretry = 5

Hope you meant that.
Also attached two Images from Log.
This is just a few minutes ago and this is only content (Ip based)

 

[UFHH01]

Hi daanse,

unfortunately, you misunderstood me a bit... I'll try to explain some more:

At least, you found the jail "[plesk-apache]", but you didn't post corresponding the filter ( filter = apache-auth ) content, which is the following, if you didn't edited the standarts:

# Fail2Ban apache-auth filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]


failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
            ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$

ignoreregex =

# DEV Notes:
#
# This filter matches the authorization failures of Apache. It takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
#
# An unauthorized response 401 is the first step for a browser to instigate authentication
# however apache doesn't log this as an error. Only subsequent errors are logged in the
# error log.
#
# Source:
#
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
# to return the actual failure.
#
# See also: http://wiki.apache.org/httpd/ListOfErrors
# Expressions that don't have tests and aren't common.
# more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
#     ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
#     ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
#     ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
#
# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
#
# Author: Cyril Jaquier
# Major edits by Daniel Black

After that, you will have to look in the corresponding error - log - file, located at "/var/www/vhosts/system/YOURDOMAIN.COM/logs/error_log", for what reason the client might have been banned. Just copy the IP - adress and keep searching for that IP in the logs. You definetely should post the found log - entries now here in the thread, if you would like help with the investigations.

 

[daanse]

[INCLUDES]
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
    ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
    ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
    ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
ignoreregex =

Yes, wow. Okay. Here's the Filter... ^^ I didn't changed it.

Here some Log at same Time as Customer complained over BAN

[Thu Jun 30 12:12:51.371357 2016] [access_compat:error] [pid 7897] [client 79.246.64.98:52704] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery
[Thu Jun 30 12:20:02.250786 2016] [access_compat:error] [pid 11466] [client 79.246.64.98:52840] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post-new.php?post_type=dt_portfolio
[Thu Jun 30 12:26:03.582646 2016] [access_compat:error] [pid 11559] [client 79.246.64.98:52927] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post-new.php?post_type=dt_portfolio
[Thu Jun 30 12:26:13.814220 2016] [access_compat:error] [pid 7897] [client 79.246.64.98:52936] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post-new.php?post_type=dt_portfolio
[Thu Jun 30 12:26:31.957927 2016] [access_compat:error] [pid 12442] [client 79.246.64.98:52941] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post-new.php?post_type=dt_portfolio
[Thu Jun 30 12:28:19.976633 2016] [access_compat:error] [pid 11559] [client 79.246.64.98:52968] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery
[Thu Jun 30 12:28:33.477827 2016] [access_compat:error] [pid 12495] [client 79.246.64.98:52982] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery
[Thu Jun 30 12:29:22.608838 2016] [access_compat:error] [pid 12095] [client 79.246.64.98:52996] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery
[Thu Jun 30 12:37:38.445458 2016] [access_compat:error] [pid 12681] [client 79.246.64.98:53263] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery
[Thu Jun 30 12:39:57.687013 2016] [access_compat:error] [pid 14515] [client 79.246.64.98:53295] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/edit.php?post_type=dt_gallery

[Thu Jun 30 13:59:14.258304 2016] [access_compat:error] [pid 19336] [client 79.246.64.98:56558] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post.php?post=8&action=edit
[Thu Jun 30 14:00:00.055085 2016] [access_compat:error] [pid 17981] [client 79.246.64.98:56577] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/post.php?post=8&action=edit
[Thu Jun 30 14:04:05.572801 2016] [access_compat:error] [pid 20763] [client 79.246.64.98:56639] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-header-menu&settings-updated=true
[Thu Jun 30 14:05:16.270105 2016] [access_compat:error] [pid 19225] [client 79.246.64.98:56655] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-header-menu&settings-updated=true
[Thu Jun 30 14:05:25.938116 2016] [access_compat:error] [pid 17981] [client 79.246.64.98:56669] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-branding-menu
[Thu Jun 30 14:05:33.247211 2016] [access_compat:error] [pid 17981] [client 79.246.64.98:56675] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-header-menu&settings-updated=true
[Thu Jun 30 14:05:46.848044 2016] [access_compat:error] [pid 17981] [client 79.246.64.98:56681] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-branding-menu
[Thu Jun 30 14:05:49.859076 2016] [access_compat:error] [pid 20817] [client 79.246.64.98:56682] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-header-menu&settings-updated=true
[Thu Jun 30 14:06:08.399345 2016] [access_compat:error] [pid 20939] [client 79.246.64.98:56692] AH01797: client denied by server configuration: uri /wp-content/plugins/sucuri-scanner/inc/css/A.sucuri-scanner.min.css,qver=5580b26.pagespeed.cf.p5Dip6VJie.css, referer: http://customersdomain.eu/wp-admin/admin.php?page=of-header-menu&settings-updated=true

Does the Pagespeed Module got in his Way?

The Customer has this always, if he edits his WP Sites.

 

[UFHH01]

Hi daanse,

client denied by server configuration

As you can see, your server configuration prohibits the access. This is most likely the case, if you configured apache modules, as for example "mod_security", "suhosin" or something similar.

The result of your server configuration is, that Fail2Ban "punishes" your customer, because as you can see in your filter:

...
^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
...

... such actions are monitored and banned.

Does the Pagespeed Module got in his Way?

No.

 

[daanse]

uhm,
i don't understand.
I have "Atomic Basic ModSecurity" active with Config set to balanced.
Rules are refreshed Daily.
I didn't configured it more..

How can i changes this behaviour?

 

[UFHH01]

Hi daanse,

sorry, I'm not an expert of ASL. Consider to ask specific ASL - questions at "http://forums.atomicorp.com/viewforum.php?f=3", or pls. wait for other Plesk forum users to answer your questions about it.

 

[daanse]

Hi,
so it seems that no one responsible for this.
http://forums.atomicorp.com/viewtopic.php?f=18&t=8449
So somehow the Wordpress of this Customer has some fails in Config or htaccess or Folder Permissions.

 

[UFHH01]

So somehow the Wordpress of this Customer has some fails in Config or htaccess or Folder Permissions.

Pls. don't go too early only to one direction, before you investigate ".htaccess" - files and/or file/folder permissions. The answer from AtomicCorp-Staff states as well clearly: "Other modules may cause these errors too."

... but it is now clear, that Fail2Ban itself is not your root cause and you already marked the thread as "solved", as I can see.

 

[daanse]

Yes sorry,
i expect that you say something like "not our fault".. I can report if i find something.
But actually i don't know what the Customer is running. He got advice to check Folder and File Permissions...
If Fail2Ban is okay, its propally not pagespeeds fault, not ModSecurity, what else could it be? I have no clue.

 

[UFHH01]

Hi daanse,

first, I want to state clearly, that I'm not at all a Plesk-Team-Member, nor do I work for Plesk. I'm just trying to help people with issues, related to Plesk and its components.
Second, as you can see with your log - files and filter - definitions, Fail2Ban itself does exactly, what it is supposed to do - it is o.k. to mark the thread as "resolved", regarding your topic and initial post in this thread.


In addition, I can only recommend to investigate your issue further, to be clear about your root cause.
In your case, you use Wordpress, with plugins. To see, if a plugin causes the issue, it would help to switch each plugin off, one by one and afterwards check, if the issue is gone, when you now reproduce the issue, by doing the same steps as the customer. ( results will be seen in your domain - specific webserver log - files ).
If this doesn't already point to the issue, pls. investigate your webserver modules and just as with wordpress, disable each module, one by one and try to reproduce the issue, by doing the same steps as your customer. ( results will be seen again in your domain - specific webserver your log - files ).


Consider as well to increase your domain - specific log - level, so that the output in your logs is more verbose.

Steps to go:

Insert "loglevel debug" at "Home > Subscriptions > example.com > Websites & Domains > Apache & nginx Settings for example.com" at "Additional directives for HTTP" and "Additional directives for HTTPS" for your apache webserver and restart your apache.​

Consider to open another thread with your "client denied by server configuration" - issue, because it has got nothing to do with Fail2Ban.