• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Fail2Ban log showing this

Richard Follett

Basic Pleskian
my log showing these kind entries - are these all people trying to hack SSH & FTP ?

Is this a normal amount?

2017-05-25 08:12:20,788 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:20,789 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:20,790 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:21,574 fail2ban.actions [17575]: NOTICE [plesk-proftpd] Ban 91.200.12.109
2017-05-25 08:12:22,022 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,024 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,025 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,799 fail2ban.actions [17575]: NOTICE [plesk-proftpd] 91.200.12.109 already banned
2017-05-25 08:18:36,642 fail2ban.actions [17575]: NOTICE [ssh] Unban 91.197.232.107
2017-05-25 08:19:18,936 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:18,944 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:21,032 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:21,036 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:34,159 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:34,929 fail2ban.actions [17575]: NOTICE [ssh] Ban 212.129.53.59
2017-05-25 08:19:37,439 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:22:22,490 fail2ban.actions [17575]: NOTICE [plesk-proftpd] Unban 91.200.12.109
2017-05-25 08:29:35,844 fail2ban.actions [17575]: NOTICE [ssh] Unban 212.129.53.59
2017-05-25 08:31:15,435 fail2ban.filter [17575]: INFO [ssh] Found 139.162.122.110
2017-05-25 08:31:16,503 fail2ban.filter [17575]: INFO [ssh] Found 139.162.122.110
2017-05-25 08:34:01,802 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 51.255.75.16
2017-05-25 08:34:26,916 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 142.4.15.19
2017-05-25 08:34:41,119 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:43,225 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:43,231 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,339 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,341 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,347 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:47,421 fail2ban.actions [17575]: NOTICE [ssh] Ban 5.237.215.162
2017-05-25 08:34:47,542 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:47,543 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:48,633 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:50,742 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:50,745 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:51,650 fail2ban.actions [17575]: NOTICE [ssh] 5.237.215.162 already banned
2017-05-25 08:44:48,339 fail2ban.actions [17575]: NOTICE [ssh] Unban 5.237.215.162
 
It doesn't look unusual to me. Most linux servers suffer from large numbers of failed login attempts and Fail2Ban will deal with them.

If you haven't already done so you should consider activating the "recidive" jail. That will permanently block any repeat offenders.
 
Thank you Simon - switched on with this filter:

[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
 
Back
Top