• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Fail2Ban lock real users (repeated)

M

markusoswald

New Pleskian
Hi there,

i have one question.
I have a user who is always banned by Fail2Ban from Plesk. I have to unlock the IP manually everytime. Can someone tell me how this could happend?

Attached a screenshot from my Analytics. This is the user who is locked permanently.

His IP is changing every 24hours, so i´m looking for a solution...

Best regards!
 

Attachments

  • fail2ban.png
    fail2ban.png
    5.5 KB · Views: 9
Hi markusoswald,

pls. have a look at your screenshot by yourself and pls. describe, what sort of investigations could be done with the help of this screenshot? :confused:

Investigations are not done with screenshots. Investigations should be done with the help of configuration files and log - file - entries. We really can't guess, why a user get's banned by Fail2Ban on your server, nor do we know, what sort of fail2ban-jails/filters you use.
To investigate issues with Fail2Ban you should at least post the corresponding apache/nginx - log - entries of your domain/subdomain ( or the corresponding log - file - entries from the log, which is defined in the corresponding Fail2Ban - jail ) and the corresponding fail2ban - log - entries.

Pls. REDUCE the complete log - files to issues related to the banned IP, so that people willing to help you don't have to do the whole investigation work all by themselves and you just upload possible huge log - files. ;)
 
In the Fail2Ban extension see what jail has blocked the user.

If it is one of the mail jails: The user is using wrong login credentials on at least one device, e.g. his phone, his PC, a second computer ...
This is the by far most frequent reason for real-user lockouts.
Solution: Check all devices for wrong access credentials in mail client software.

If it is the wordpress jail: The user is frequently using the same functions while updating his Wordpress website.
Solution: There is none, unfortunately. You can try to raise the number of failures that trigger a jail to lock-out a user, but this also lowers security against real DoS and brute force attacks.
 
You must log in or register to reply here.

Similar threads

A
Issue Problems with fail2ban
Replies
1
Views
688
Kaspar@Plesk
Kaspar@Plesk
llucas
Question IP Address Banning (Fail2Ban) Configuration
Replies
2
Views
488
llucas
llucas
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
3K
The 8th
The 8th
randypetersen
Question After upgrade PHP-FPM has high cpu usage.
Replies
6
Views
9K
Peter Debik
P
claxman
Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)
Replies
17
Views
3K
Hiljo_Lodewijk
H
Back
Top