• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue Fail2Ban - Not Banning IP addresses

M

mendip_discovery

New Pleskian
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
 
mendip_discovery said:
I have looked through to see old issues but none of the fixes seems to work.

I am getting a lot of
"WARNING [plesk-wordpress] {NAUGHTY-IP} already banned"

but then that same IP connects again and keeps trying. I have seen a lot of activity for people to keep brute force attacking a Word Press site. The plesk-wordpress jail is standard. The IP shown below kept going for 4hrs after the ban.

CentOS Linux 7.8.2003 (Core)
Plesk Obsidian 18.0.27

Jail is
[plesk-wordpress]
enabled = true
filter = plesk-wordpress
action = iptables-multiport[name="plesk-wordpress", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

Filter,
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =


Example of my log,
2020-05-23 00:30:51,981 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:30:51
2020-05-23 00:31:53,109 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:31:52
2020-05-23 00:31:53,185 fail2ban.actions [2587]: WARNING [plesk-wordpress] 82.45.238.87 already banned
2020-05-23 00:32:53,803 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:32:53
2020-05-23 00:33:54,978 fail2ban.filter [2587]: INFO [plesk-wordpress] Found 82.45.238.87 - 2020-05-23 00:33:54
Click to expand...
Have you been able to solve the issue? I am expriencing the same issue for the "plesk-postfix" jail with Plesk Obsidian 18.0.34.2 on Ubuntu 16.04.7 LTS.
 
@theunknownstuntman Could you please provide an excerpt from your /var/log/maillog and the section from /var/log/fail2ban.log where you see that the IP is banned, yet the mailserver is working with it?
 
@Peter Debik I hope this helps. I realize, that both Plesk and Fail2Ban v0.10.3.fix1 are quite old...

Fail2ban.log


2023-11-19 06:39:38,159 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:37
2023-11-19 06:39:38,232 fail2ban.actions [1523]: WARNING [plesk-postfix] 46.148.40.0 already banned
2023-11-19 06:39:40,592 fail2ban.filter [1523]: INFO [plesk-postfix] Found 46.148.40.0 - 2023-11-19 06:39:40
Click to expand...

maillog.processed.3.gz

Nov 21 06:39:29 servername postfix/smtpd[7897]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:29 servername postfix/smtpd[3205]: disconnect from unknown[80.94.95.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:30 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:30 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=8)
Nov 21 06:39:30 servername postfix/smtpd[32687]: warning: unknown[109.236.209.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:31 servername postfix/smtpd[32687]: lost connection after AUTH from unknown[109.236.209.0]
Nov 21 06:39:31 servername postfix/smtpd[32687]: disconnect from unknown[109.236.209.0] ehlo=1 auth=0/1 commands=1/2
Nov 21 06:39:33 servername postfix/smtpd[28382]: connect from unknown[46.148.40.0]
Nov 21 06:39:33 servername postfix/smtpd[3133]: connect from unknown[221.146.242.0]
Nov 21 06:39:33 servername postfix/smtpd[3205]: warning: hostname 120.hosted-by.bthoster.com does not resolve to address 45.129.14.0
Nov 21 06:39:33 servername postfix/smtpd[3205]: connect from unknown[45.129.14.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:34 servername postfix/smtpd[7897]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 21 06:39:37 servername plesk_saslauthd[3396]: failed mail authentication attempt for user 'mis123' (password len=6)
Nov 21 06:39:37 servername postfix/smtpd[3599]: warning: unknown[46.148.40.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:38 servername plesk_saslauthd[3396]: No such user '[email protected]' in mail authorization database
Nov 21 06:39:38 servername plesk_saslauthd[3396]: failed mail authentication attempt for user '[email protected]' (password len=18)
Nov 21 06:39:38 servername postfix/smtpd[3205]: warning: unknown[45.129.14.0]: SASL LOGIN authentication failed: authentication failure
Nov 21 06:39:39 servername postfix/smtpd[3205]: disconnect from unknown[45.129.14.0] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 21 06:39:39 servername postfix/smtpd[3599]: lost connection after AUTH from unknown[46.148.40.0]
Nov 21 06:39:39 servername postfix/smtpd[3599]: disconnect from unknown[46.148.40.0] ehlo=1 auth=0/1 rset=1 commands=2/3
Click to expand...
 
What's the output of
# iptables --list | grep 46.148.40
?

(Can take a while to execute, that'll be o.k.)
 
You must log in or register to reply here.

Similar threads

D
Resolved fail2ban blocks IP from all visitors to a website
Replies
3
Views
1K
dicker
D
llucas
Question IP Address Banning (Fail2Ban) Configuration
Replies
2
Views
186
llucas
llucas
claxman
Issue Anacron job 'cron.daily' on server.domain (Fail2Ban Automatic Closing Problem)
Replies
17
Views
2K
Hiljo_Lodewijk
H
Dave W
Issue Fail2ban banning the servers IP due to incorrect IP in apache logs
Replies
6
Views
1K
abashurov
abashurov
R
Resolved fail2ban.filter [17529]: INFO [plesk-wordpress]
Replies
4
Views
910
Rastronet
R
Back
Top