• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How can I add a action to fail2ban - iptables-ipset-proto

Brujo

Silver Pleskian
Plesk Guru
Well with activated apache-badbots jails I have in a short time a hugh amount of banned IPs. Usualy action for this is to use iptables-ipset-proto and save all this baned IPs in the ipset insteed as normal in the iptables list - thats also a suggestion which was discussed in the fail2ban forum for better performance. And yes I had this running (ipset package installed) with my manual installation of fail2ban before I switched over to the plesk integrated.

action = iptables-ipset-proto6[name=BadBots, port="http,https,7080,7081"] insteed of action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]

so how can I add iptables-ipset-proto4.conf, iptables-ipset-proto6-allports.conf, iptables-ipset-proto6.conf to the plesk version of fail2ban??

any hint would be helpfull....
 
You can easily add, modify or remove actions over the Plesk Panel, by clicking on a jail and choose the option "modify". Plesk will show you the actual actions, while each action is listed in one line. To remove one action, simply delete the unwanted action and save it afterwards. If you would like to add an action, choose a pre-configured action from the above drop-down menu or add one manually ( hint : "ls /etc/fail2ban/action.d" )

In your case, you might like to modify the actions as followed:
Code:
iptables-ipset-proto4.conf[name=BadBots, port="http,https,7080,7081"]
iptables-ipset-proto6-allports.conf[name=BadBots, port="http,https,7080,7081"]
iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"]
 
First thanks for answering, but thats what I already tried without success.

1. I manualy copyed the iptables-ipset-proto6.conf) to /etc/fail2ban/action.d
2. selected existing jail plesk-apache-badbot in plesk and removed/replaced the existing action and added manualy by iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"] But I get this errors when saving:
Error: f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6.conf' under /etc/fail2ban
ERROR Error in action definition iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"]
ERROR Errors in jail 'plesk-apache-badbot'. Skipping...
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache-badbot']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-apache-badbot

or during activation

Error: Unable to switch on the jail: f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6.conf' under /etc/fail2ban
ERROR Error in action definition iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"]
ERROR Errors in jail 'plesk-apache-badbot'. Skipping...
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache-badbot']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-apache-badbot

/etc/fail2ban/action.d]# ls -la
total 36
drwxr-xr-x 2 root root 4096 Aug 19 07:24 .
drwxr-xr-x 5 root root 4096 Aug 8 21:58 ..
-rw-r----- 1 root root 1820 May 20 13:31 iptables-allports.conf
-rw-r----- 1 root root 626 May 20 13:31 iptables-blocktype.conf
-rw-r----- 1 root root 1838 May 20 13:31 iptables.conf
-rw-r----- 1 root root 2102 Aug 19 07:23 iptables-ipset-proto6.conf
-rw-r----- 1 root root 1919 May 20 13:31 iptables-multiport.conf
-rw-r----- 1 root root 313 May 20 13:31 sendmail-common.conf
-rw-r----- 1 root root 2096 May 20 13:31 sendmail.conf

well I found out that plesk use the f2bmng to handle all this and as you can see he finds the filename but within "null".....
/usr/local/psa/admin/sbin/f2bmng --get-actions-list
[["iptables-allports", "fail2ban"], ["iptables-blocktype", "fail2ban"], ["iptables-ipset-proto6", null], ["iptables-multiport", "fail2ban"], ["iptables", "fail2ban"], ["sendmail-common", "fail2ban"], ["sendmail", "fail2ban"]]

so any hint would be realy helpfull

kind regards
Brujo
 
Last edited:
The "f2bmng" isn't a real help, when it comes to new filters, actions and jails, if they are not yet pre-configured from Plesk... I'm sure they will modify this file in the future.

To modify your new jails for the "Badbots", please copy and edit the files manually in /etc/fail2ban/:

1. Copy the following files from the link => github repo <= to "/etc/fail2ban/action.d":

iptables-ipset-proto4.conf
iptables-ipset-proto6-allports.conf
iptables-ipset-proto6.conf​

2. Edit the file "jail.local" in "/etc/fail2ban/" and add at the end:

#####

[own-badbot]

enabled = true
action = iptables-ipset-proto4.conf[name=own-badbot, port="http,https,7080,7081"]
iptables-ipset-proto6-allports.conf[name=own-badbot, port="http,https,7080,7081"]
iptables-ipset-proto6.conf[name=own-badbot, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
filter = apache-badbots
findtime = 43200 | searches 12 hours in the logfile
bantime = 604800 | bans 7 days
maxretry = 3 | after 3 times, the jail will ban the BadBots, with your filter defined at

#####

Restart or activate the new fail2ban jail either from Plesk, or restart the whole fail2ban over the command line with "service fail2ban restart"


... another hint: the pre-configured plesk.conf for fail2ban is located in "/etc/fail2ban/jail.d", but shouldn't be overwritten, because any new Plesk update might overwrite this file. Any modifications, which you are doing for jails and filters over Plesk will result in additional "*.local" - files, if you would like to have a look at them. Due to the fact that Plesk does not include all possible jails, you could consider copying more filters and jails from the github repo, which I mentioned above.
 
The "f2bmng" isn't a real help, when it comes to new filters, actions and jails, if they are not yet pre-configured from Plesk... I'm sure they will modify this file in the future.

To modify your new jails for the "Badbots", please copy and edit the files manually in /etc/fail2ban/:

1. Copy the following files from the link => github repo <= to "/etc/fail2ban/action.d":

iptables-ipset-proto4.conf
iptables-ipset-proto6-allports.conf
iptables-ipset-proto6.conf​

2. Edit the file "jail.local" in "/etc/fail2ban/" and add at the end:

#####

[own-badbot]

enabled = true
action = iptables-ipset-proto4.conf[name=own-badbot, port="http,https,7080,7081"]
iptables-ipset-proto6-allports.conf[name=own-badbot, port="http,https,7080,7081"]
iptables-ipset-proto6.conf[name=own-badbot, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
filter = apache-badbots
findtime = 43200 | searches 12 hours in the logfile
bantime = 604800 | bans 7 days
maxretry = 3 | after 3 times, the jail will ban the BadBots, with your filter defined at

#####

Restart or activate the new fail2ban jail either from Plesk, or restart the whole fail2ban over the command line with "service fail2ban restart"


... another hint: the pre-configured plesk.conf for fail2ban is located in "/etc/fail2ban/jail.d", but shouldn't be overwritten, because any new Plesk update might overwrite this file. Any modifications, which you are doing for jails and filters over Plesk will result in additional "*.local" - files, if you would like to have a look at them. Due to the fact that Plesk does not include all possible jails, you could consider copying more filters and jails from the github repo, which I mentioned above.

Hi,
I know this is an old thread, but since 2014 no f2bmng is been modify.
I'm tring to use ipset on f2b, but without success. I've the same error :
Code:
Error: f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6.conf' under /etc/fail2ban
ERROR Error in action definition iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"]
ERROR Errors in jail 'plesk-apache-badbot'. Skipping...
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache-badbot']' returned non-zero exit status 255

even if I'm using jail.local to configure it. Why ?

P.S.: I'm on Onyx version (17.5.3)
 
Hi OverWolf,

I'm using jail.local to configure it. Why ?
Because of the additional misconfigurations, found here:
Error: f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6.conf' under /etc/fail2ban
ERROR Error in action definition iptables-ipset-proto6.conf[name=BadBots, port="http,https,7080,7081"]
 
Hi UFHH01,

I have iptables-ipset-proto* files in action.d directory. So I don't understand it. Why cannot f2bmng found it ?
 
Hi OverWolf,

pls. what is the output of the commands:
Code:
ls -lah /etc/fail2ban/action.d | grep iptables
and
Code:
cat /etc/fail2ban/action.d/iptables-ipset-proto6.conf
 
Hi UFHH01,

these are the output :
Code:
 ls -lah /etc/fail2ban/action.d/ | grep iptables
-rw-r----- 1 root root 1.5K Mar 14  2017 iptables-allports.conf
-rw-r----- 1 root root 1.9K Mar 14  2017 iptables-common.conf
-rw-r----- 1 root root 1.4K Sep 11 11:21 iptables.conf
-rw-r----- 1 root root 1.8K Sep 12 11:39 iptables-ipset-proto4.conf
-rw-r----- 1 root root 1.8K Sep 22 15:59 iptables-ipset-proto6-allports.conf
-rw-r----- 1 root root 1.8K Sep 22 15:59 iptables-ipset-proto6.conf
-rw-r----- 1 root root 1.4K Mar 14  2017 iptables-multiport.conf

Code:
 cat /etc/fail2ban/action.d/iptables-ipset-proto6.conf
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
             ipset flush f2b-<name>
             ipset destroy f2b-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = ipset del f2b-<name> <ip> -exist

[Init]

# Option: bantime
# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values:  [ NUM ]  Default: 600
#
bantime = 3600
 
Hi OverWolf,

before I answer your initial ( new ) question, pls. provide as well the related content/definitions at your "jail.local":
Code:
cat /etc/fail2ban/jail.local
 
I have tried these two entry in jail.local (one at time), but without success :

Code:
[postfix-rbl]
enabled = true
filter = postfix-rbl
action = iptables-ipset-proto6-allports.conf[name="postfix-rbl", port="smtp,smtps,submission"]
        iptables-ipset-proto4.conf[name="postfix-rbl", port="smtp,smtps,submission"]
        iptables-ipset-proto6.conf[name="postfix-rbl", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime = 43200
bantime = 7200
maxretry = 2

########################

[postfix-rbl]
enabled = true
filter = postfix-rbl
action = iptables-ipset-proto6-allports.conf[name="postfix-rbl", port="smtp,smtps,submission"]
logpath = /var/log/maillog
findtime = 43200
bantime = 7200
maxretry = 2

I've still tried to del extension (.conf) but I have had the same error
 
Hi OverWolf,

you changed the settings/configurations during the first post and now. Pls. update your ( possible ) error - messages with the actual messages from either your command line, or/and from your "fail2ban.log" .
 
this is my error

Code:
f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6-allports.conf' under /etc/fail2ban
ERROR Error in action definition iptables-ipset-proto6-allports.conf[name="postfix-rbl", port="smtp,smtps,submission"]
ERROR Errors in jail 'postfix-rbl'. Skipping...
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload']' returned non-zero exit status 255
Search for related Knowledge Base articles

that's is the same as the old one
 
Hi OverWolf,

did you consider to use:
Code:
chmod -R 644 /etc/fail2ban/action.d
chmod 755 /etc/fail2ban/action.d
 
Hi UFHH01,
this is my situation
drwxr-xr-x 2 root root 4096 Sep 25 10:01 action.d
-rw-r--r-- 1 root root 2328 Dec 9 2016 fail2ban.conf
drwxr-xr-x 3 root root 4096 Sep 25 20:49 filter.d
-rw-r----- 1 root root 3101 Sep 9 11:40 jail.conf
drwxr-xr-x 2 root root 4096 Sep 25 09:51 jail.d
-rw-r--r-- 1 root root 2092 Sep 25 20:49 jail.local

So, my question is: why should I mod permissions ? Isn't them already ok ?
 
Hi OverWolf,

So, my question is: why should I mod permissions ?
did you consider to use
The reason here is, that IF you use permissions without "world" "read access", it might conflict with dependent settings on your server and I suggested therefore to try out, if this fixes your issue, as I couldn't see any typing mistakes, which as well may lead to an error like: "ERROR Found no accessible config files for ..." . ;)
 
Hi UFHH01,
I'm in the same situation:
Code:
f2bmng failed: ERROR Found no accessible config files for 'action.d/iptables-ipset-proto6-allports.conf' under /etc/fail2ban
:(

Edit : now it works. I've remove extension (.conf) from the action line and no errors are showed. Now I'm testing it.

Edit 2: It seems to work. In fail2ban log I have much errors :
Code:
2017-09-26 09:12:39,293 fail2ban.action [16008]: ERROR ipset create f2b-postfix-rbl hash:ip timeout <bantime>
iptables -w -I INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-09-26 09:12:39,294 fail2ban.action [16008]: ERROR ipset create f2b-postfix-rbl hash:ip timeout <bantime>
iptables -w -I INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable -- stderr: "/bin/sh: -c: line 0: syntax error near unexpected token `newline'\n/bin/sh: -c: line 0: `ipset create f2b-postfix-rbl hash:ip timeout <bantime>'\n"
2017-09-26 09:12:39,294 fail2ban.action [16008]: ERROR ipset create f2b-postfix-rbl hash:ip timeout <bantime>
iptables -w -I INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable -- returned 1
2017-09-26 09:12:39,294 fail2ban.actions [16008]: ERROR Failed to start jail 'postfix-rbl' action 'iptables-ipset-proto6-allports': Error starting action


2017-09-26 09:12:40,605 fail2ban.action [16008]: ERROR iptables -w -D INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable
ipset flush f2b-postfix-rbl
ipset destroy f2b-postfix-rbl -- stdout: ''
2017-09-26 09:12:40,608 fail2ban.action [16008]: ERROR iptables -w -D INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable
ipset flush f2b-postfix-rbl
ipset destroy f2b-postfix-rbl -- stderr: "iptables v1.4.21: Set f2b-postfix-rbl doesn't exist.\n\nTry `iptables -h' or 'iptables --help' for more information.\nipset v6.29: The set with the given name does not exist\nipset v6.29: The set with the given name does not exist\n"
2017-09-26 09:12:40,609 fail2ban.action [16008]: ERROR iptables -w -D INPUT -m set --match-set f2b-postfix-rbl src -j REJECT --reject-with icmp-port-unreachable
ipset flush f2b-postfix-rbl
ipset destroy f2b-postfix-rbl -- returned 1
2017-09-26 09:12:40,609 fail2ban.actions [16008]: ERROR Failed to stop jail 'postfix-rbl' action 'iptables-ipset-proto6-allports': Error stopping action
2017-09-26 09:12:40,612 fail2ban.jail [16008]: INFO Jail 'postfix-rbl' stopped
 
Last edited:
I've tried to use command line to create a test ipset and it works :
Code:
 ipset -v
ipset v6.29, protocol version: 6
[root@server action.d]# ipset create f2b-iptest hash:ip timeout 3600
[root@server action.d]# ipset list
Name: f2b-iptest
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16528
References: 0
Members:
 
Hi UFHH01,

the problem persist if I use this action with Fail2Ban. Can you suggest something to try ?

Thank you
 
Back
Top