Tim_Wakeling
Basic Pleskian
- Server operating system version
- AlmaLinux 8.8
- Plesk version and microupdate number
- 18.0.53
Something very odd happened last night on my server. About 4 am, when nothing was due to run (the backup completed at 1.25 am), all sites went down.
I could not log into Plesk, but I did have the CLI. nginx crashed when I tried to restart it, and plesk repair all -y also failed at the stage of reconfiguring the domains.
Then I tried pinging to 8.8.8.8 and other IPs, and all failed.
However now for some reason (probably due to the repair) I was able to log back into Plesk, even though all the websites were still down.
So from there I turned off the firewall, and everything returned.
With some trepidation, I turned the firewall back on, and everything was still fine. So turning it off and on again without any rule changes fixed it.
My firewall rules were (and are):
Nothing recorded in /var/log/sw-cp-server/error_log around the incident time (or since), but in /var/log/fail2ban.log around 4am I can see this:
2023-07-18 04:06:16,064 fail2ban.actions [817]: NOTICE [recidive] Unban 208.38.235.61
2023-07-18 04:06:16,094 fail2ban.utils [817]: ERROR 7f59404b4870 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]'
2023-07-18 04:06:16,095 fail2ban.utils [817]: ERROR 7f59404b4870 -- returned 1
2023-07-18 04:06:16,095 fail2ban.CommandAction [817]: ERROR Invariant check failed. Unban is impossible.
2023-07-18 04:06:16,096 fail2ban.actions [817]: ERROR Failed to execute unban jail 'recidive' action 'iptables-allports' info 'ActionInfo({'ip': '208.38.235.61', 'fid': <function <lambda> at 0x7f5951eaa2d0>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f5951eaa8d0>})': Error unbanning 208.38.235.61
Nothing else in that log until 3 hours later after those lines.
Looks like an attempt perhaps by the owner of 208.38.235.61 to get themselves in? I don't know that IP.
Any idea what might have happened, why the firewall might have fallen over entirely as a result, and how I can stop that happening again?
Appreciate it's a tricky mystery!
Thanks so much
Tim
I could not log into Plesk, but I did have the CLI. nginx crashed when I tried to restart it, and plesk repair all -y also failed at the stage of reconfiguring the domains.
Then I tried pinging to 8.8.8.8 and other IPs, and all failed.
However now for some reason (probably due to the repair) I was able to log back into Plesk, even though all the websites were still down.
So from there I turned off the firewall, and everything returned.
With some trepidation, I turned the firewall back on, and everything was still fine. So turning it off and on again without any rule changes fixed it.
My firewall rules were (and are):
- DHCP, Samba, DNS and IPv6 denied to all
- SMTP, POP3, IMAP allowed to all
- Inbound pings, FTP, SSH and Plesk Installer all allowed from my IP only, and one other IP belonging to a specific client
Nothing recorded in /var/log/sw-cp-server/error_log around the incident time (or since), but in /var/log/fail2ban.log around 4am I can see this:
2023-07-18 04:06:16,064 fail2ban.actions [817]: NOTICE [recidive] Unban 208.38.235.61
2023-07-18 04:06:16,094 fail2ban.utils [817]: ERROR 7f59404b4870 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]'
2023-07-18 04:06:16,095 fail2ban.utils [817]: ERROR 7f59404b4870 -- returned 1
2023-07-18 04:06:16,095 fail2ban.CommandAction [817]: ERROR Invariant check failed. Unban is impossible.
2023-07-18 04:06:16,096 fail2ban.actions [817]: ERROR Failed to execute unban jail 'recidive' action 'iptables-allports' info 'ActionInfo({'ip': '208.38.235.61', 'fid': <function <lambda> at 0x7f5951eaa2d0>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f5951eaa8d0>})': Error unbanning 208.38.235.61
Nothing else in that log until 3 hours later after those lines.
Looks like an attempt perhaps by the owner of 208.38.235.61 to get themselves in? I don't know that IP.
Any idea what might have happened, why the firewall might have fallen over entirely as a result, and how I can stop that happening again?
Appreciate it's a tricky mystery!
Thanks so much
Tim