• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Fail2ban: not blocking the IP

omexlu

Regular Pleskian
Hi,

I have created a new jail + filter in plesk fail2ban exention

JAIL:
Code:
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

FILTER:
Code:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code:
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

I want that this userclient get totally dropped and can't reload any website hosted on the server.

Code:
target     prot opt source               destination        
REJECT     all  --  37.58.58.206         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

But can still reload the website? @UFHH01
 
Last edited:
Hi,

I have created a new jail + filter in plesk fail2ban exention

JAIL:
Code:
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

FILTER:
Code:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code:
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

I want that this userclient get totally dropped and can't reload any website hosted on the server.

Code:
target     prot opt source               destination        
REJECT     all  --  37.58.58.206         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

But can still reload the website?

@omexlu

Some questions:

1 - are you sure about the "maxretry = 300"? By the time Fail2Ban will block your IP, your server will probably have a problem (resource outage, firewall issues etc.)

2 - did you write a custom action (note: from scratch)? if not, try to

- remove the action via the Plesk Panel, (and)
- add the "multiport" action without the name (read: do not add: name="http-ddos-custom" or anything else custom)

3 - consider to use the "allport" action: it does not make any sense to block a DDoS on your web servers, since that is often the "face of the attack" and while the sysadmin is busy, some other port is attacked on the background..........it is just a small tip.


Regards.......
 
1 - are you sure about the "maxretry = 300"? By the time Fail2Ban will block your IP, your server will probably have a problem (resource outage, firewall issues etc.)

2 - did you write a custom action (note: from scratch)? if not, try to

- remove the action via the Plesk Panel, (and)
- add the "multiport" action without the name (read: do not add: name="http-ddos-custom" or anything else custom)

3 - consider to use the "allport" action: it does not make any sense to block a DDoS on your web servers, since that is often the "face of the attack" and while the sysadmin is busy, some other port is attacked on the background..........it is just a small tip.

1. Maybe this is too high and i might be lower that setting to maxretry 300 and findtime 300

2. do you think this way => iptables-multiport[chain="INPUT", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"] , but what it changes? :)

EDIT: Have tested this without name same result, get banned but can still reload the website:
Code:
Chain f2b-default (1 references)
target     prot opt source               destination      
REJECT     all  --  207.244.66.70        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

3. that way? iptables-allports[chain="INPUT", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]

EDIT: With that also the same, but still can reload the website, nothing blocked... why :/
Code:
REJECT     all  --  85.17.24.76          anywhere             reject-with icmp-port-unreachable

But why i can still reload if the ip is rejected in iptables as see above?
 
Last edited:
@omexlu

You asked

But why i can still reload if the ip is rejected in iptables as see above?

and I do not have the answer, but it is probably related to firewall or system related issues.

With respect to your questions in point 2 and 3, note the following.

Both the iptables-multiport[...] and the iptables-allports[...] actions contain some key-value pairs, with the keys defined in the action, as present in the action.d folder.

Plesk Panel adds the whole line of default key-value pairs, but that is not really required: the keys should stay the same, but the values can be anything sensible.

If a jail action does not work, this often is the result of an erroneous manual edit in the appropriate file in the action.d folder.

So, changing the jail action to a default action is and was simply a verification that the actions are still proper.

You did not report the result of what happened when changing to the iptables-allports[...] action, but you should that and have a look at /var/log/fail2ban.log, so you can monitor whether any (significant) errors are occurring after the change of the action on your "DDoS" jail.

Nevertheless, I strongly recommend to use an alternative: Fail2Ban is not the best method to handle DDoS attacks, one should consider bandwidth throttling.

A good suggestion would be to use Nginx to throttle dubious requests, since that would also imply that those requests will not reach the (memory hungry) Apache server.

Hope the above helps!

Regards......
 
Back
Top