• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Fail2Ban - Not Banning IP addresses

M

mendip_discovery

New Pleskian
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
 
mendip_discovery said:
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
Click to expand...
Have you been able to solve the issue? I am expriencing the same issue for the "plesk-postfix" jail with Plesk Obsidian 18.0.34.2 on Ubuntu 16.04.7 LTS.
 
@theunknownstuntman Could you please provide an excerpt from your /var/log/maillog and the section from /var/log/fail2ban.log where you see that the IP is banned, yet the mailserver is working with it?
 
@Peter Debik I hope this helps. I realize, that both Plesk and Fail2Ban v0.10.3.fix1 are quite old...

Fail2ban.log


2023-11-19 06:39:38,159 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:37
2023-11-19 06:39:38,232 fail2ban.actions [1523]: WARNING [plesk-postfix] 46.148.40.0 already banned
2023-11-19 06:39:40,592 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:40
Click to expand...

maillog.processed.3.gz

Nov 21 06:39:29 servername postfix/smtpd[7897]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:29 servername postfix/smtpd[3205]: disconnect from unknown[80.94.95.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:30 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:30 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=8)
Nov 21 06:39:30 servername postfix/smtpd[32687]: warning: unknown[109.236.209.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:31 servername postfix/smtpd[32687]: lost connection after AUTH from unknown[109.236.209.0]
Nov 21 06:39:31 servername postfix/smtpd[32687]: disconnect from unknown[109.236.209.0] ehlo=1 auth=0/1 commands=1/2
Nov 21 06:39:33 servername postfix/smtpd[28382]: connect from unknown[46.148.40.0]
Nov 21 06:39:33 servername postfix/smtpd[3133]: connect from unknown[221.146.242.0]
Nov 21 06:39:33 servername postfix/smtpd[3205]: warning: hostname 120.hosted-by.bthoster.com does not resolve to address 45.129.14.0
Nov 21 06:39:33 servername postfix/smtpd[3205]: connect from unknown[45.129.14.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 21 06:39:37 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'mis123' (password len=6)
Nov 21 06:39:37 servername postfix/smtpd[3599]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:38 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:38 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=18)
Nov 21 06:39:38 servername postfix/smtpd[3205]: warning: unknown[45.129.14.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:39 servername postfix/smtpd[3205]: disconnect from unknown[45.129.14.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:39 servername postfix/smtpd[3599]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:39 servername postfix/smtpd[3599]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Click to expand...
 
What's the output of
# iptables --list | grep 46.148.40
?

(Can take a while to execute, that'll be o.k.)
 
You must log in or register to reply here.

Similar threads

D
Resolved fail2ban blocks IP from all visitors to a website
Replies
3
Views
1K
dicker
D
llucas
Question IP Address Banning (Fail2Ban) Configuration
Replies
2
Views
143
llucas
llucas
claxman
Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)
Replies
17
Views
2K
Hiljo_Lodewijk
H
Dave W
Issue Fail2ban banning the servers IP due to incorrect IP in apache logs
Replies
6
Views
1K
abashurov
abashurov
R
Resolved fail2ban.filter [17529]: INFO [plesk-wordpress]
Replies
4
Views
887
Rastronet
R
Back
Top