• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.

Issue Fail2ban: Ip addresses are not blocked by Recidive

F

frg62

Basic Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
Plesk Obsidian 18.0.67 Update #3
Hello,

I have noticed that the IP addresses that are supposed to be banned in Recidive, actually still can access the server.
Here is an extract from the F2B logs for a specific attacking IP address:

2025-02-23 02:36:01,726 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 02:36:01
2025-02-23 02:37:38,237 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 02:37:38
2025-02-23 02:39:13,230 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 02:39:13
2025-02-23 02:39:13,613 fail2ban.actions [939832]: NOTICE [plesk-postfix] Ban 185.226.117.240
2025-02-23 02:39:13,614 fail2ban.filter [939832]: INFO [recidive] Found 185.226.117.240 - 2025-02-23 02:39:13
2025-02-23 03:39:13,243 fail2ban.actions [939832]: NOTICE [plesk-postfix] Unban 185.226.117.240
2025-02-23 03:39:15,657 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 03:39:15
2025-02-23 03:40:47,978 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 03:40:47
2025-02-23 03:42:23,482 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-23 03:42:23
2025-02-23 03:42:23,511 fail2ban.actions [939832]: NOTICE [plesk-postfix] Ban 185.226.117.240
2025-02-23 03:42:23,521 fail2ban.filter [939832]: INFO [recidive] Found 185.226.117.240 - 2025-02-23 03:42:23
2025-02-23 04:42:23,137 fail2ban.actions [939832]: NOTICE [plesk-postfix] Unban 185.226.117.240
2025-02-24 03:23:24,790 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 03:23:24
2025-02-24 03:24:52,367 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 03:24:52
2025-02-24 03:26:28,062 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 03:26:28
2025-02-24 03:26:28,392 fail2ban.actions [939832]: NOTICE [plesk-postfix] Ban 185.226.117.240
2025-02-24 03:26:28,401 fail2ban.filter [939832]: INFO [recidive] Found 185.226.117.240 - 2025-02-24 03:26:28
2025-02-24 04:26:28,378 fail2ban.actions [939832]: NOTICE [plesk-postfix] Unban 185.226.117.240
2025-02-24 04:27:45,311 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 04:27:45
2025-02-24 04:29:32,061 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 04:29:32
2025-02-24 04:31:20,203 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 04:31:20
2025-02-24 04:31:20,750 fail2ban.actions [939832]: NOTICE [plesk-postfix] Ban 185.226.117.240
2025-02-24 04:31:20,906 fail2ban.filter [939832]: INFO [recidive] Found 185.226.117.240 - 2025-02-24 04:31:20
2025-02-24 04:31:21,413 fail2ban.actions [939832]: NOTICE [recidive] Ban 185.226.117.240
2025-02-24 05:31:20,391 fail2ban.actions [939832]: NOTICE [plesk-postfix] Unban 185.226.117.240 <----------------------------------- !!!!!!!!!!!!!!!!!!!!
2025-02-24 06:25:46,311 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-24 06:25:46
2025-02-25 19:02:40,854 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-25 19:02:40
2025-02-25 19:02:47,885 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-25 19:02:47
2025-02-25 19:02:57,898 fail2ban.filter [939832]: INFO [plesk-postfix] Found 185.226.117.240 - 2025-02-25 19:02:57
2025-02-25 19:02:57,925 fail2ban.actions [939832]: NOTICE [plesk-postfix] Ban 185.226.117.240
2025-02-25 19:02:57,933 fail2ban.filter [939832]: INFO [recidive] Found 185.226.117.240 - 2025-02-25 19:02:57

As you can see, everything works correctly at the beginning:
The address is banned a few times by the Postfix jail (for 1 hour), and the Recidive counter is running until this jail bans the address (for 1 week).

OK, but one hour later the Postfix jail unbans the address!

And the cycle starts again, making the Recidive jail completely useless.

Where did I go wrong in my configuration?

Regards,
François
 
No it is not:
Code: 
root@server:~# iptables -L -n | grep 185.226.117.240
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@server:~#

Yet it should be, because it was supposedly sent to Recidive 2 days ago (2025-02-24 04:31:21,413).
 
frg62 said:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Click to expand...
This warning indicates that you server is running nftables, whith legacy compatibility for iptables.

So instead of using the iptables command use the iptables-legacy command (or the equivalent nftables command) to get a proper output.
Code: 
iptables-legacy -L -n | grep 185.226.117.240
 
It looks like the warning should no longer be displayed, see the results for each command line:

Code: 
root@server:~# iptables-legacy -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@server:~#

Code: 
root@server:~# iptables -L -n
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-plesk-one-week-ban  udp  --  0.0.0.0/0            0.0.0.0/0
f2b-plesk-one-week-ban  tcp  --  0.0.0.0/0            0.0.0.0/0
f2b-plesk-wordpress  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,7080,7081
f2b-apache  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,7080,7081
f2b-recidive  tcp  --  0.0.0.0/0            0.0.0.0/0
f2b-plesk-modsecurity  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,7080,7081
f2b-plesk-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 143,993,110,995,4190
f2b-plesk-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  100.64.0.0/10        0.0.0.0/0
DROP       all  --  127.0.0.0/8          0.0.0.0/0
[...]
Chain f2b-recidive (1 references)
target     prot opt source               destination
REJECT     all  --  80.94.95.228         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  194.0.234.11         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  87.120.93.11         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  193.41.206.98        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
root@server:~#
 
If you're dealing with IP bans in Plesk and need to adjust the ban period for WordPress-related security blocks, follow these steps:

1. Log into Plesk.
2. Navigate to Tools & Settings > IP Address Banning (Fail2Ban) > Jail tab.
3. Locate plesk-wordpress and click Change Settings.
4. Set a new value for the IP address ban period according to your preference.
5. Click OK to save the changes.

This should help manage how long IPs remain blocked by Fail2Ban in Plesk. Hope this helps!
 
To me it seems o.k. that the Postfix chain entry is removed. Our servers here are doing this all the time: They remove entries from the individual jail chains while they keep the entries in the recidive jail chain. The problem here seems to be that the IP is not being added to the recidive chain in the first place. Removing an IP from another chain does not modify the recidive jail chain (unless that is a bug with the iptables-legacy thing ...)

It is thinkable that the "action" defined in jail.local for the recidive jail fails. After the recidive ban is logged, do you see the IP address in the recidive jail chain at all?
 
You must log in or register to reply here.

Similar threads

W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
255
W4ru
W
Gianni
Question My IP in jail fail2ban using plesk
Replies
0
Views
331
Gianni
Gianni
TimReeves
Fail2Ban Jail needed for /var/log/sw-cp-server/error_log
Replies
5
Views
6K
roon
R
X
Resolved Plesk Extension: Plesk Email Security (Very Slow Delivery)
Replies
8
Views
7K
Kaspar@Plesk
Kaspar@Plesk
K
Issue Docker containers don't start after plesk/extension upgrades
Replies
0
Views
2K
kassi
K
Back
Top