FAil2Ban - jails are all inactive

[EndlessManga]

Hi,

I was wondering why all the jails in fail2ban are inactive..

Do I need to enable all of them? or there's only a specific list that is useful?

Thank you

 

[EndlessManga]

Anyone please!!! I'm currently under constant ddos attack!!

 

[pleskpanel]

Did you try to activate the packaged Plesk jails for ftp, the control panel mail, etc...? By default when you install Fail2Ban they will be inactive until you activate them (but be careful to white list your IP first)

 

[EndlessManga]

which one I need to activate??

http://puu.sh/j2N49/9e0ab41a58.png
http://puu.sh/j2N6G/8d23610f59.png
http://puu.sh/j2N7S/4ba7cb1faf.png

 

[trialotto]

@EndlessManga,

Which plesk version are you using?

And start by using the Plesk Firewall, in order to block all (unknown) IP addresses permanently.

Also have a look at your log files, in order to establish an idea from which IP addresses the attack is originating (block those IPs manually in the Plesk Firewall).

Kind regards.....

 

[Nomadturk]

I'ld say activate all.

What fail2ban does is it keeps checking your log files for attacks/brute force attempts/etc and when it finds one, it blocks the ip.
But, are these the jails you have added or did they come with plesk?

@trialotto, I find Plesk firewall insufficient since I can't add custom rules other than black/whistlisting only IP addresses.

 

[trialotto]

@Nomadturk,

Some remarks, in order to complement your reaction.

First of all, Plesk Firewall is just the same as manually adjusting iptables. For instance, whole network ranges can be blocked and/or with custom rules, one can allow traffic for specific IPs and deny from all other IPs. It is just some degree of "getting used" to the Plesk Firewall interface.

Second, note that manually (i.e. by command line) or programmatically (i.e. by scripts) changing iptables does not alter the Plesk Firewall entries, it is just an addition of firewall rules.

The above implies that firewall related errors are hard to detect or to track, if a lot of manually entered firewall rules are present.

Third, fail2ban programmatically changes iptables in such a fashion, that IPs (not network ranges) are banned temporarily (not permanent).

The above implies that the Plesk Firewall has the advantages of (on the one hand) permanent IP blocks and (on the other hand) possibilities to block whole IP address ranges at once.

Fail2Ban is to be seen as an additional tool, that has to be activated in the light of "good practice", besides the Plesk Firewall (or similar firewalls).

Fourth and final, EndlessManga is very likely to use either a Plesk 12.1 (preview) version or a custom package for fail2ban, i.e. not the packages provided with Plesk.

Fact is that the Plesk packages of Fail2Ban are stable versions, while all or most of the other Fail2Ban versions are in development phase (and even unstable sometimes), as such the explanation for all the jails that are present on EndlessManga´s Fail2Ban installation.

Note that the multitude of those jails will not imply a better security, often the opposite is the case.

In a sense and related to the above, activation of all jails will not really improve security that much, it is better to fine-tune the most relevant ones, being the jails that are provided in the standard Fail2Ban package, as provided with Plesk (i.e. return to a stable version of Fail2Ban and tighten up security by fine-tuning the rules and jail settings).

Kind regards.....

 

[Nomadturk]

@trialotto,

Unfortunately it's not the same. It can be said that it is a limited version of it or a bunch of rules all togather.
Indeed, I can manually add my own iptables rules via the command line but why bother managing my rules from two different places whereas I can have only one script to rule'm all? Plesk firewall does suck. In some cases my rules didn't even know and I said that's it. Disable the whole thing and create my own.

I wouldn't want to permanently block an IP. Sometimes even I get myself banned since my ssh client was set to use an old key file/port etc. Having a long ban time on fail2ban is sufficient enough. Along with ddos deflate it's a good suplement to iptables firewalls.

Also for fail2ban jails, the amount he has indeed is a lot but I am one of those who seperates all log files and tries to check them seperately. That might work in case the attacker is not using a regular method such as classic fail2ban jails. In such cases you do need more jails for it to be detected. Or altering the existing ones to fine tune. That also works.

 

[trialotto]

@Nomadturk,

Indeed, I can manually add my own iptables rules via the command line but why bother managing my rules from two different places whereas I can have only one script to rule'm all? Plesk firewall does suck. In some cases my rules didn't even know and I said that's it. Disable the whole thing and create my own.

As always, I provided the "moderate" answer.

In fact, an experienced sysadmin (i.e. not a Plesk admin, that is something else) should be using iptables directly.

In a sense, the Plesk Firewall will suffice, in particular for inexperienced and "not so advanced" admins (and the Plesk Firewall certainly prevents them from locking themselves out).

I wouldn't want to permanently block an IP. Sometimes even I get myself banned since my ssh client was set to use an old key file/port etc. Having a long ban time on fail2ban is sufficient enough. Along with ddos deflate it's a good suplement to iptables firewalls.

Really, some IPs should be blocked permanently, since particular spammers and hackers are consistently working from specific IP address ranges.

In addition, any key file and/or port change should not result in blocking (i.e. permanent ban) or banning (i.e. temporary ban, very likely the result of Fail2Ban).

Start with whitelisting your IP in Fail2Ban and set a firewall rule "allow from... deny from all others" in order to have you granted root access with SSH all the time.

Note that you can create the firewall rule by hand (that involves multiple lines, if you want to do it correctly) OR use the Plesk Firewall (that involves creating a custom rule).

Also for fail2ban jails, the amount he has indeed is a lot but I am one of those who seperates all log files and tries to check them seperately. That might work in case the attacker is not using a regular method such as classic fail2ban jails. In such cases you do need more jails for it to be detected. Or altering the existing ones to fine tune. That also works.

Fail2Ban does not require multiple log files to function properly with a limited number of logs: you can add multiple logs to one jail.

Fail2Ban is rather flexible, but most people forget the complexity of Fail2Ban itself, including the inherent flaws in the current stable (and also future) versions.

Keep Fail2Ban usage simple, allow it to be the second step in security, with a properly defined firewall being the first step.

In essence, if you get any IP bans from Fail2Ban, you have to conclude that your firewall is not properly defined and lets undesired traffic through.

And also note that one can use alternative measures, besides a firewall and Fail2Ban.

For instance, undesired traffic due to spam activities can be mitigated with a "fake" (i.e. non-existent) mail server with high priority (spammers do often fall for that trick).

Anyway, a lot of measures can and should be taken, in order to tighten up security.

Hope the above helps and/or explains a bit.

Kind regards.....