• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How can I use the 'Plesk Firewall' and 'Fail2Ban' Extensions, when I have a Dynamic IP Address?

Craig1986

Basic Pleskian
Recently, I decided to install the Plesk Extension: 'Plesk Firewall'. Upon installation, I set the Global Policy to deny all incoming connections. I then created the overriding rule to accept connections from my IP address.

Initially, this worked fine. Anyone not coming from my IP address, could not successfully log into the Plesk Control Panel. Having a dynamic IP address, I was sometimes prevented login myself. This was okay, as I could simply access the server via SSH, in order to insert my new IP acceptance rule.

A few days went by, where I needed to add my new IP Address to the server. Again, I went to submit my newly changed IP address via SSH. This time, however, I am unable to connect. I had both 'Mod Security & Fail2ban' and the Plesk Firewall. The only way to regain access to my VPS, was to Rebuild the VPS and upload a Backup.

I believe the reason for this is that the aforementioned Extensions are blocking my access attempts, whenever my IP address changes. Is there a way around this or is it a case of not being able to have these Extensions installed, in the event of having a dynamic IP address?
 
Your ISP should allow you to access the machine by "console" which directly accesses the screen output and HID-hardware thus circumventing the IP ban. Or you just have to wait until the fail2ban releases your ban. This depends on your fail2ban configuration.

I have set up the following system of scripts (I was young and needed the money! :)):
On port 443 I made a "secret" php-script that dumps the current IP address to a file
In a cron job running as admin I'm checking this file for changes and upon detection I add a rule to the top of the iptables firewall rule list.

So, when I got booted I just had to call that script and 1 minute later access to all services was regained.
 
Just a quick note that our Juggernaut Firewall extension fully supports whitelisting dynamic IP addresses.
 
Back
Top