• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Fail2Ban IPv6 banning in Obsidian. Correct Plesk Configuration?

learning_curve

learning_curve

Golden Pleskian
IPv6 banning within Fail2Ban has been supported in Obsidian since way back HERE but like many people, we didn't upgrade from Onyx, until Obsidian attained General Release status, so we're a little slow posting this question.

Now, with an up to date Obsidian install, we have Fail2Ban 10.3.1 provided by Plesk which supports IPv6 banning (/etc/fail2ban/action.d/iptables-common.conf) but... we still can't see that the IPV6 banning is operational (or not by default after its installation anyway) and indeed, find any, already listed, Plesk compatible method of enabling this functionality.

Both these Obsidian Reference Doc Pages (One & Two) completely ignore IPv6 with the exception of this one unhelpful line:
"Fail2Ban does not provide protection against attackers with an IPv6 address. Fail2ban in Plesk relies solely on IPs (without hostname lookups) unless reconfigured"
Click to expand...

Ouside of Plesk, there are many guides / instructions / methods for enabling IPv6 banning with Fail2Ban but just as with the very handy PHP complilations that are also provided by Plesk, you can't just modify whatever you want, without checking for potential collateral damage first... Hence this request for the correct Plesk compatible method ;)

We're assuming that the configuration will be made within /etc/fail2ban/jail.local and/or an additional file created e.g. /etc/fail2ban/jail.d/customisation.local and/or, modifications made to existing files within here: /etc/fail2ban/filter.d because both /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/plesk.conf are system generated / overwritten files, thus it's pointless applying changes to them.

In theory :D if Plesk is using iptables with ipset actions, then adding something simple (which covers IPv4 & IPv6) like:
Code: 
[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports
into /etc/fail2ban/jail.local might be sufficient to enable this functionality, which, should then present both of the banned IP address sets (IPv4 and IPv6) on the Plesk GUI Fail2ban page. However, it's the provided by Plesk / potential collateral damage risk, which stops us from exploring this any further currently, without any advance Plesk direct input.
 
Update. After a very helpful, detailed response from Plesk, IPv6 address banning is enabled by default within Fail2Ban on Obsidian, so no additional configuration is required (On both Onyx to Obsidian upgrades and/or, Obsidian fresh installs)

The two Obsidian Reference Doc Pages (One & Two) that at the time of the above post, completely ignored IPv6 (ref last post) were out of date. They have now been updated / corrected, to avoid any unintenional misdirections like the one above.

The reason that we couldn't we see any IPv6 addresses, listed on our own Fail2Ban GUI page that shows all of the IPv4 addresses that are currently being banned is.... purely timing. Or in other words, at the time we made the above post.... no IPv6 addresses had actually broken any of the jail / filter rules that we have in place in Fail2Ban ;)

EDIT: And as if by some Festive Spirit Intervention (OK - Timing :D) we now have banned IPv6 addresses present, within our own Fail2Ban GUI page that's mentioned above. Happy Christmas.
 
Last edited:
learning_curve said:
Update. After a very helpful, detailed response from Plesk, IPv6 address banning is enabled by default within Fail2Ban on Obsidian, so no additional configuration is required (On both Onyx to Obsidian upgrades and/or, Obsidian fresh installs)
Click to expand...

@learning_curve - do you use ipset within fail2ban? I had a working version under Onyx, but this works only partly under obsidian after upgrade from onyx. Only IPV4 adresses are stored and none IPV6.

Edit: got it fixed had to update the iptables-ipset-proto6.conf - it seems this confs are not updated when upgrading from onyx.
fail2ban/fail2ban
 
Last edited:
Brujo said:
@learning_curve - do you use ipset within fail2ban?
Click to expand...
Not currently, no. At the time of the first post, we thought we would need to, so we were ready to install the Ubuntu 18.04 LTS package and modify that (similar to our frst post & the link you provided etc) and then go from there, but as you can see in our second post, that became unecessary and we can see both IPv4 and IPv6 adddresses now without any issues, by using the default Plesk Obsidian Fail2Ban setup on our customised jails & filters.
 
@Brujo @learning_curve

Hi , I read the above posts.

My problem is that I can't see nor white or blacklist any IPv6 addresses, but a user seems banned because of repeatedly entering a wrong password and having an IPv6 address. With more people moving from IPv4 to IPv6 I assume this issue will increase.

I am running Plesk Obsidian v18.0.46_build1800220905.16 os_CentOS 7 which is installed as an upgrade of earlier versions of Plesk.
When I login to the server I am missing a lot of files that were assumed available in the /etc/fail2ban/ directory according to fail2ban/iptables-ipset-proto6.conf at 0.10 · fail2ban/fail2ban

According to the readme file, I am running fail2ban-0.11.2

Content of jail.local [DEFAULT] destemail = {my email address} maxretry = 3 findtime = 1209600 bantime = 15768000 ignoreip = 127.0.0.1/8 85.149.136.34 77.166.51.138 163.158.89.87 84.85.63.25 95.211.247.176 2a02:a210:213c:1680:440:921c:95d5:27cd [plesk-apache] enabled = true [plesk-apache-badbot] enabled = true [plesk-courierimap] enabled = true [plesk-dovecot] [plesk-horde] [plesk-modsecurity] enabled = false [plesk-panel] enabled = true [plesk-postfix] enabled = true [plesk-proftpd] enabled = true [plesk-qmail] [plesk-roundcube] enabled = true [plesk-wordpress] enabled = true [recidive] enabled = true [ssh] enabled = true


Would adding the lines below in jail.local solve my problem. I would assume the files iptables-ipset-proto6-allports.conf and iptables-ipset-proto6.conf should be present as well?

[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports


Looking forward to your response.
Kind regards.
 
You must log in or register to reply here.

Similar threads

JmRy
Question Fail2ban no ban ... ?
Replies
1
Views
2K
Bitpalast
Bitpalast
Azurel
Forwarded to devs Plesk fail2ban jails and iptables not working correctly [SECURITY ISSUE?]
Replies
4
Views
2K
Azurel
Azurel
D
Forwarded to devs fail2ban log directory will not be updated
Replies
2
Views
1K
destan40
D
O
Question How to fine-tune Fail2Ban? (filters, jails, settings, Nginx, blocklists, badips sync, IPv6)
Replies
12
Views
5K
IgorG
IgorG
Host-Inkompetent
Question Fail2Ban Configuration failed by \n
Replies
1
Views
2K
IgorG
IgorG
Back
Top