• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Fail2Ban - Not Banning IP addresses

M

mendip_discovery

New Pleskian
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
 
mendip_discovery said:
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
Click to expand...
Have you been able to solve the issue? I am expriencing the same issue for the "plesk-postfix" jail with Plesk Obsidian 18.0.34.2 on Ubuntu 16.04.7 LTS.
 
@theunknownstuntman Could you please provide an excerpt from your /var/log/maillog and the section from /var/log/fail2ban.log where you see that the IP is banned, yet the mailserver is working with it?
 
@Peter Debik I hope this helps. I realize, that both Plesk and Fail2Ban v0.10.3.fix1 are quite old...

Fail2ban.log


2023-11-19 06:39:38,159 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:37
2023-11-19 06:39:38,232 fail2ban.actions [1523]: WARNING [plesk-postfix] 46.148.40.0 already banned
2023-11-19 06:39:40,592 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:40
Click to expand...

maillog.processed.3.gz

Nov 21 06:39:29 servername postfix/smtpd[7897]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:29 servername postfix/smtpd[3205]: disconnect from unknown[80.94.95.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:30 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:30 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=8)
Nov 21 06:39:30 servername postfix/smtpd[32687]: warning: unknown[109.236.209.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:31 servername postfix/smtpd[32687]: lost connection after AUTH from unknown[109.236.209.0]
Nov 21 06:39:31 servername postfix/smtpd[32687]: disconnect from unknown[109.236.209.0] ehlo=1 auth=0/1 commands=1/2
Nov 21 06:39:33 servername postfix/smtpd[28382]: connect from unknown[46.148.40.0]
Nov 21 06:39:33 servername postfix/smtpd[3133]: connect from unknown[221.146.242.0]
Nov 21 06:39:33 servername postfix/smtpd[3205]: warning: hostname 120.hosted-by.bthoster.com does not resolve to address 45.129.14.0
Nov 21 06:39:33 servername postfix/smtpd[3205]: connect from unknown[45.129.14.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 21 06:39:37 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'mis123' (password len=6)
Nov 21 06:39:37 servername postfix/smtpd[3599]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:38 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:38 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=18)
Nov 21 06:39:38 servername postfix/smtpd[3205]: warning: unknown[45.129.14.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:39 servername postfix/smtpd[3205]: disconnect from unknown[45.129.14.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:39 servername postfix/smtpd[3599]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:39 servername postfix/smtpd[3599]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Click to expand...
 
What's the output of
# iptables --list | grep 46.148.40
?

(Can take a while to execute, that'll be o.k.)
 
You must log in or register to reply here.

Similar threads

Gianni
Question My IP in jail fail2ban using plesk
Replies
0
Views
168
Gianni
Gianni
D
Resolved fail2ban blocks IP from all visitors to a website
Replies
3
Views
2K
dicker
D
llucas
Question IP Address Banning (Fail2Ban) Configuration
Replies
2
Views
492
llucas
llucas
M
Question fail2ban, can I ban visitors with no user agent?
Replies
1
Views
575
Kaspar@Plesk
Kaspar@Plesk
claxman
Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)
Replies
17
Views
3K
Hiljo_Lodewijk
H
Back
Top