• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Fail2ban: not blocking the IP

O

omexlu

Regular Pleskian
Hi,

I have created a new jail + filter in plesk fail2ban exention

JAIL:
Code: 
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

FILTER:
Code: 
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code: 
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

I want that this userclient get totally dropped and can't reload any website hosted on the server.

Code: 
target     prot opt source               destination        
REJECT     all  --  37.58.58.206         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

But can still reload the website? @UFHH01
 
Last edited:
omexlu said:
Hi,

I have created a new jail + filter in plesk fail2ban exention

JAIL:
Code: 
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

FILTER:
Code: 
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code: 
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

I want that this userclient get totally dropped and can't reload any website hosted on the server.

Code: 
target     prot opt source               destination        
REJECT     all  --  37.58.58.206         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

But can still reload the website?
Click to expand...

@omexlu

Some questions:

1 - are you sure about the "maxretry = 300"? By the time Fail2Ban will block your IP, your server will probably have a problem (resource outage, firewall issues etc.)

2 - did you write a custom action (note: from scratch)? if not, try to

- remove the action via the Plesk Panel, (and)
- add the "multiport" action without the name (read: do not add: name="http-ddos-custom" or anything else custom)

3 - consider to use the "allport" action: it does not make any sense to block a DDoS on your web servers, since that is often the "face of the attack" and while the sysadmin is busy, some other port is attacked on the background..........it is just a small tip.


Regards.......
 
trialotto said:
1 - are you sure about the "maxretry = 300"? By the time Fail2Ban will block your IP, your server will probably have a problem (resource outage, firewall issues etc.)

2 - did you write a custom action (note: from scratch)? if not, try to

- remove the action via the Plesk Panel, (and)
- add the "multiport" action without the name (read: do not add: name="http-ddos-custom" or anything else custom)

3 - consider to use the "allport" action: it does not make any sense to block a DDoS on your web servers, since that is often the "face of the attack" and while the sysadmin is busy, some other port is attacked on the background..........it is just a small tip.
Click to expand...

1. Maybe this is too high and i might be lower that setting to maxretry 300 and findtime 300

2. do you think this way => iptables-multiport[chain="INPUT", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"] , but what it changes? :)

EDIT: Have tested this without name same result, get banned but can still reload the website:
Code: 
Chain f2b-default (1 references)
target     prot opt source               destination      
REJECT     all  --  207.244.66.70        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

3. that way? iptables-allports[chain="INPUT", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

EDIT: With that also the same, but still can reload the website, nothing blocked... why :/
Code: 
REJECT     all  --  85.17.24.76          anywhere             reject-with icmp-port-unreachable

But why i can still reload if the ip is rejected in iptables as see above?
 
Last edited:
@omexlu

You asked

omexlu said:
But why i can still reload if the ip is rejected in iptables as see above?
Click to expand...

and I do not have the answer, but it is probably related to firewall or system related issues.

With respect to your questions in point 2 and 3, note the following.

Both the iptables-multiport[...] and the iptables-allports[...] actions contain some key-value pairs, with the keys defined in the action, as present in the action.d folder.

Plesk Panel adds the whole line of default key-value pairs, but that is not really required: the keys should stay the same, but the values can be anything sensible.

If a jail action does not work, this often is the result of an erroneous manual edit in the appropriate file in the action.d folder.

So, changing the jail action to a default action is and was simply a verification that the actions are still proper.

You did not report the result of what happened when changing to the iptables-allports[...] action, but you should that and have a look at /var/log/fail2ban.log, so you can monitor whether any (significant) errors are occurring after the change of the action on your "DDoS" jail.

Nevertheless, I strongly recommend to use an alternative: Fail2Ban is not the best method to handle DDoS attacks, one should consider bandwidth throttling.

A good suggestion would be to use Nginx to throttle dubious requests, since that would also imply that those requests will not reach the (memory hungry) Apache server.

Hope the above helps!

Regards......
 
You must log in or register to reply here.

Similar threads

A
Question Fail2Ban capture and ban IP, connection still being made
Replies
8
Views
850
Bitpalast
Bitpalast
A
Issue Fire2ban not working with banned IP
Replies
2
Views
888
Angelo
A
Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
1K
Liwindo
Liwindo
J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
2K
Mark_NLD
M
C
Issue 38080 connection refused, plesk FW setup
Replies
1
Views
677
chester_e
C
Back
Top