• The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Fail2Ban Jail needed for /var/log/sw-cp-server/error_log

TimReeves

TimReeves

Regular Pleskian
Username:

TITLE

Fail2Ban Jail needed for /var/log/sw-cp-server/error_log

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Web Admin, Plesk Obsidian 18.0.66 Update #2, Debian 12.9

PROBLEM DESCRIPTION

While checking if all logrotate actions are being performed adequately, I noticed a log file /var/log/sw-cp-server/error_log. On looking into it I saw it contained pretty much ONLY hacking attempts on Plesk Panel, below are some lines.

I checked if there is already a Fail2Ban Jail for this - but no. There is one "plesk-panel" which monitors /var/log/plesk/panel.log, which is pretty pointless - that contains Plesk housekeeping entries; the attacks are in /var/log/sw-cp-server/error_log. Please add a jail for this log!

2025/01/20 20:19:08 [error] 684#0: *3061 open() "/opt/psa/admin/htdocs/login.cgi" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "POST /login.cgi HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443/Main_Login.asp"

2025/01/20 21:16:33 [error] 684#0: *3065 open() "/opt/psa/admin/htdocs/hello" failed (2: No such file or directory), client: 128.199.242.159, server: , request: "GET /hello HTTP/1.1", host: "cf.06151953.xyz"

2025/01/20 21:54:17 [error] 684#0: *3099 open() "/opt/psa/admin/htdocs/hello" failed (2: No such file or directory), client: 128.199.179.71, server: , request: "GET /hello HTTP/1.1", host: "cf.06151953.xyz"

2025/01/20 22:25:18 [error] 684#0: *3112 open() "/opt/psa/admin/htdocs/remote/login" failed (2: No such file or directory), client: 92.255.85.59, server: , request: "GET /remote/login HTTP/1.1", host: "212.227.143.227:8443"

2025/01/20 22:50:45 [error] 684#0: *3127 open() "/opt/psa/admin/htdocs/SETTINGS.CFG" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "GET /SETTINGS.CFG HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443"

2025/01/21 00:46:08 [error] 684#0: *3131 open() "/opt/psa/admin/htdocs/hello" failed (2: No such file or directory), client: 128.199.170.18, server: , request: "GET /hello HTTP/1.1", host: "cf.06151953.xyz"

2025/01/21 01:13:32 [error] 684#0: *3143 open() "/opt/psa/admin/htdocs/actuator/gateway/routes" failed (2: No such file or directory), client: 92.255.57.58, server: , request: "GET /actuator/gateway/routes HTTP/1.1", host: "212.227.143.227:8443"

2025/01/21 01:24:14 [error] 684#0: *3144 open() "/opt/psa/admin/htdocs/login.cgi" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "POST /login.cgi HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443/Main_Login.asp"

2025/01/21 03:40:48 [error] 684#0: *3237 open() "/opt/psa/admin/htdocs/.git/config" failed (2: No such file or directory), client: 149.62.45.31, server: , request: "GET /.git/config HTTP/1.1", host: "212.227.143.227:8443"

2025/01/21 03:41:20 [error] 684#0: *3239 open() "/opt/psa/admin/htdocs/.git/config" failed (2: No such file or directory), client: 149.62.45.27, server: , request: "GET /.git/config HTTP/1.1", host: "212.227.143.227:8880"

2025/01/21 06:37:16 [error] 684#0: *3281 open() "/opt/psa/admin/htdocs/login.cgi" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "POST /login.cgi HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443/Main_Login.asp"

2025/01/21 09:05:16 [error] 684#0: *3317 open() "/opt/psa/admin/htdocs/SETTINGS.CFG" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "GET /SETTINGS.CFG HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443"

2025/01/21 11:37:53 [error] 684#0: *3359 open() "/opt/psa/admin/htdocs/version" failed (2: No such file or directory), client: 167.94.145.110, server: , request: "GET /version HTTP/1.1", host: "212.227.143.227:8443"

2025/01/21 11:43:42 [error] 684#0: *3386 open() "/opt/psa/admin/htdocs/login.cgi" failed (2: No such file or directory), client: 45.142.193.71, server: , request: "POST /login.cgi HTTP/1.1", host: "212.227.143.227:8443", referrer: "https://212.227.143.227:8443/Main_Login.asp"

STEPS TO REPRODUCE

Check all registered jails

ACTUAL RESULT

you won't find one for /var/log/sw-cp-server/error_log

EXPECTED RESULT

There should be one for /var/log/sw-cp-server/error_log

ANY ADDITIONAL INFORMATION

(DID NOT ANSWER QUESTION)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Answer the question
 
TimReeves said:
EXPECTED RESULT

There should be one for /var/log/sw-cp-server/error_log
Click to expand...
Just out of curiosity, why would you expect there to be a fail2ban jail specifically for /var/log/sw-cp-server/error_log ? What issue would you feel this would solve?

I am asking out of genuine curiosity, not to bash your request :)

Sadly, any (publicly accessible) server will be probed for weaknesses (on any service it runs, like ssh, email, websites or applications). The errors logged at /var/log/sw-cp-server/error_log are mostly from failed request to the Plesk service. Which in turn comprises mostly of probe attempts from bots to non existing URI's. These probe attempts are definitely annoying, but I my (humble) opinion do not pose much of a threat. As access to Plesk (as a panel) is restricted anyway and any actual failed login attempt gets logged in /var/log/plesk/panel.log. So as long as Plesk is up-to-date (and any new release does not massively screw up Plesk's security), there is no chance of these probes leading to any security issue.

I just had a quick look at the entries in the /var/log/sw-cp-server/error_log from one of my production servers and noticed that most of the IP's listed in the log where already banned by fail2ban by various other jails. Indicating that, in my case at least, these request are (mostly) from annoying bots probing my server for any type of weaknesses. And are not an actual targeted attack. (But your situation could be different of course).
 
Last edited:
In case you're interested in here is a fail2ban filter and jail you can use. I've tested the regular expression against the /var/log/sw-cp-server/error_log log on my server with succes, using the fail2ban-regex utility. Other than that, I have not tested the jail in any production environment. So use at your own discretion.

Filter
Code: 
[Definition]
failregex = ^ \[error\] \d*#0: \*\d* open\(\) "[^"]*" failed ([^"]*), client: <HOST>, server: , request: "(GET|POST|HEAD) [^"]* HTTP\/\d(?:\.\d+)", host: "[^"]*"(, ref$
ignoreregex =
datepattern = {^LN-BEG}

Jail
Code: 
[custom-plesk-failed-requests]

action   = iptables-allports[name="plesk-failed-requests"]
filter   = <name of your filter>
logpath  = /var/log/maillog
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Issue Error: configuration files for the Apache web server were not created
Replies
1
Views
152
Raul A.
R
M
Question Plesk E-Mail Security | Failed to start clamd scanner (amavisd) daemon
Replies
7
Views
627
Raul A.
R
B
Issue How do I enable FTPS?
Replies
8
Views
289
budiantoip
B
R
Issue Cannot restart NGINX
Replies
1
Views
153
Raul A.
R
M
Resolved Failed to start The Apache HTTP Server: SELinux impedisce a /usr/sbin/httpd un accesso open su file /var/log/modsec_audit.log. -- SOLVED --
Replies
0
Views
101
mmcomputers
M
Back
Top