Question How to fine-tune Fail2Ban? (filters, jails, settings, Nginx, blocklists, badips sync, IPv6)

[Ovi]

Dear fellow Pleskians,
Following quite a few hours of reading posts on this forum, and the Plesk docs (Protection Against Brute Force Attacks (Fail2Ban)), and a few interesting technical chats with more experienced people, I've significantly reduced the no of IPs hammering my server.

Now I would like to take it one step further to optimise fail2ban with nginx, and I've started this new thread to ask for your guidance with the following points:

1) What custom filters and jails do you recommend? (Are mine OK?)
And what bantime & maxretry settings do you recommend for each jail?
I'm pasting below my filters and jails and I'd be most grateful for your advice on what should I edit/update/add:

Plesk fail2ban global jail settings:

[DEFAULT]
ignoreip = xx.xx.xx.xx
maxretry = 5
destemail = e@e
findtime = 10800
bantime = 86400
--------------------------------------------------------------------------------
FILTER: recidive
(standard recidive.conf)
-------------------------------
JAIL: [recidive]
enabled = true
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_badbots
(copy of the long apache badbots filter)
-------------------------------
JAIL: [nginx_badbots_jail]
enabled = true
filter = nginx_badbots
action = iptables-multiport[name=nginxBadBots, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
    /var/log/nginx/*access*.log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_ddos
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
ignoreregex =

-------------------------------
JAIL: [nginx-req-limit]
enabled = true
filter = nginx_ddos
action = iptables-multiport[chain="INPUT", name="req-limit", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
logpath = /var/log/nginx/*error*.log
    /var/www/vhosts/system/*/logs/*error*
    /var/www/vhosts/*/logs/*error*
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_forbidden
[Definition]
failregex = ^ \[error\] \d+#\d+: .* forbidden .*, client: <HOST>, .*$
   ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403
ignoreregex =

-------------------------------
JAIL: [nginx-forbidden-jail]
enabled = true
filter = nginx_forbidden
action = iptables-multiport[name=nginx_no403, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
    /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
bantime =
maxretry = 

--------------------------------------------------------------------------------
FILTER: nginx_404_v1
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
ignoreregex =

-------------------------------
JAIL: [nginx404_v1_jail]
enabled = true
filter = nginx_404_v1
action = iptables-multiport[name="nginx404v1", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
    /var/log/nginx/*access*.log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_noproxy
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =

-------------------------------
JAIL: [nginx_noproxy_jail]
enabled = true
filter = nginx_noproxy
action = iptables-multiport[name=NoProxy, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
    /var/www/vhosts/*/logs/*access*log
    /var/www/vhosts/system/*/logs/*access*log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_noscript
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
ignoreregex =

-------------------------------
JAIL: [nginx_noscript_jail]
enabled = true
filter = nginx_noscript
action = iptables-multiport[name=nginx_noscript, port="http,https,7080,7081"]
logpath = /var/log/nginx/*access*.log
    /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_login
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

-------------------------------
JAIL: [nginx_login_]
enabled = true
filter = nginx_login
action = iptables-multiport[name=nginx_nologinfailures, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
    /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_http_auth
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
   ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
ignoreregex =
-------------------------------
JAIL: [nginx_auth_jail]
enabled = true
filter = nginx_auth
action = iptables-multiport[name=nginx_noauthfailures, port="http,https,7080,7081"]
logpath = /var/log/nginx/*error*.log
    /var/www/vhosts/system/*/logs/*error*_log
    /var/www/vhosts/*/logs/*error*_log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_nohome
[Definition]
failregex = ^<HOST> -.*GET .*/~.*
ignoreregex =
-------------------------------
JAIL: [nginx_nohomedir_jail]
enabled = true
filter = nginx_nohome
action = iptables-multiport[name=nginx_nohome, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
    /var/www/vhosts/system/*/logs/*access*log
    /var/www/vhosts/*/logs/*access*log
bantime =
maxretry =

--------------------------------------------------------------------------------
FILTER: nginx_auth
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
   user .* was not found in.*client: <HOST>
   user .* password mismatch.*client: <HOST>
ignoreregex =

-------------------------------
JAIL: [nginx_http_auth_jail]
enabled = true
filter = nginx_http_auth
action = iptables-multiport[name=nginx_http_auth, port="http,https,7080,7081"]
logpath = /var/log/nginx/*error*.log
    /var/www/vhosts/system/*/logs/*error*_log
    /var/www/vhosts/*/logs/*error*_log
bantime =
maxretry = 
--------------------------------------------------------------------------------

2.a) How do I write my recidive banned IPs to hosts.deny?
2.b) How do I sync my fail2ban with badips.com and with hosts.deny?
+ Is this the recommended way: mitchellkrogza/fail2ban-useful-scripts


3) Do you recommend the integration of IP blocklists into a Plesk server?
I'm a big fan of Steven Black hosts on all my non-server machines, and they work wonders.
As such I would really like to use a blocklist for my hosts and hosts.deny on my Plesk server as well.
3.a) Which blocklist do you recommend?

3.b) Should I modify my Plesk vhost template (example for apache but similar for nginx) and integrate Michell Krogza's ultimate-bad-bot-blocker?

3.c) Or maybe just adding this would be enough: Instruction - Blocking extra bots using nginx ?
+are we supposed to add this within the server {} block, or outside it, at the top?
+is this for /etc/nginx/nginx.conf OR for Vhost nginx.config OR for vhost_nginx.conf?


4) Fail2Ban in latest Plesk is v0.9.6 and it doesn't support IPv6.
fail2ban now supports IPv6 - please upgrade
I understand that we can't block IPv6 until Plesk upgrades to minimum F2B v0.10, but can we at least detect IPv6? And could we do anything about them?

I find these optimizations incredibly useful for enhancing security. However, since they're not new, I don't quite understand how come Plesk doesn't integrate them into production? Would really make a web admin's life easier!

 

[IgorG]

4) Fail2Ban in latest Plesk is v0.9.6 and it doesn't support IPv6.
fail2ban now supports IPv6 - please upgrade
I understand that we can't block IPv6 until Plesk upgrades to minimum F2B v0.10, but can we at least detect IPv6? And could we do anything about them?

Change Log for Plesk

Updated Fail2ban to version 0.10.3.1. Fail2ban now protects against attackers with IPv6 addresses.

 

[learning_curve]

...4) Fail2Ban in latest Plesk is v0.9.6 and it doesn't support IPv6.
fail2ban now supports IPv6 - please upgrade
I understand that we can't block IPv6 until Plesk upgrades to minimum F2B v0.10, but can we at least detect IPv6? And could we do anything about them?

Plesk are currently a LONG way behind with integrating many things, this Fail2Ban / iPv6 usage just being one example. Have a read of the PLESK current situation regarding this one... There's the Plesk official response and user's posts...

...I don't quite understand how come Plesk doesn't integrate them into production? Would really make a web admin's life easier!

You and many other of us end-users... Some things are seriously out of date now. Here's one example and this one is a Plesk core issue! Things are often marked as "...will be fixed in a future upgrade" (as is this example) but in this case, that was posted over 7 months ago... We've found that normally, you're never normally given details of... if... that will happen this year / next year / only after a lottery win etc Plus if you ask the 'when" question on here, you'll usually receive a ......... response.

Plesk really is very good and a joy to use in our view, but the ETA's of seriously overdue integrations, enhancements, bug fixes etc are far from the infamous US National Security level of security clearance, so it would be very useful if this type of information was a) accurate timewise and then b) shared with end-users. We'll need to live in hope meantime....

 

[learning_curve]

Change Log for Plesk

To be fair this is ONLY appplicable for any Plesk 17.9 Preview Status installations and this is made a lot clearer in the comments on the PLESK current situation regarding this. It SHOULD have been 17.5.3 and 17.8.11 (minimum) a long time ago and a long before any future preview releases, because IPv6 has been here for a very long time now... as many other posters have mentioned!

 

[IgorG]

It SHOULD have been 17.5.3 and 17.8.11 (minimum) a long time ago and a long before any future preview releases

I would not advise waiting for a backport. We have no such plans.

 

[learning_curve]

I would not advise waiting for a backport. We have no such plans.

As always, do appreciate your honesty @IgorG

In our humble opinion, that's quite a random thought process / logic route that Plesk have decided to adopt with this one. It will be quite some time before many Plesk end users, feel ready to switch over to 17.9.* even after that is provided at the "late adopter" status. No backporting means that running Plesk 17.9.* will be the only way Plesk end users can run an operational IPv4 & IPv6 version of Fail2Ban (unless they provide their own heavily customised Fail2Ban installation method)

 

[Ovi]

Thank you for your reply @IgorG , I would very much appreciate your input on my first 3 sets of questions as well - which (to me) are actually more important.

No backporting means that running Plesk 17.9.* will be the only way Plesk end users can run an operational IPv4 & IPv6 version of Fail2Ban (unless they provide their own heavily customised Fail2Ban installation method)

Thanks for your input @learning_curve , I understand what the situation is with IPv6 in Plesk. Unfortunately we can't do anything other than wait for 17.9 and then upgrade to it (hopefully without breaking anything in the process : )

PS: if you have any advice for me/us regarding my questions, please share it. Thank you!

 

[learning_curve]

I understand what the situation is with IPv6 in Plesk. Unfortunately we can't do anything other than wait for 17.9 and then upgrade to it (hopefully without breaking anything in the process : )

There is an update on this and you can read that in THIS other forum post

...PS: if you have any advice for me/us regarding my questions, please share it...

This is slightly more complicated, because there are so many variables involved (e.g. your server's applications and thus its potential 'audience' versus another person's server's applications and their 'audience' etc). In your case, at present, we don't use any of the methods that you have posted outside links for, but we do have quite a good history in terms of attacks (apart from maybe IPv6 based attacks ) using other methods. Neither setup could be classed as 'wrong' but there are so many options / variables (and so many opinions!) as to what is best. That might mean, that you need to trial things yourself, on your own server setup (backup / backup / backup ) before your'e 100% happy with the end results. That's what we've tended to do so far...

 

[Ovi]

There is an update on this and you can read that in THIS other forum post

Fair play @learning_curve for pointing to Alexander's suggestion re IPv6 backport. I voted for it even if I will upgrade to 17.9 shortly after it becomes available.
Backport Fail2Ban IPv6 Support to Plesk Onyx 17.x

This is slightly more complicated, because there are so many variables involved (e.g. your server's applications and thus its potential 'audience' versus another person's server's applications and their 'audience' etc).

I'm fully aware of the complexity, but this should be obvious from the title of this post being "How to fine-tune F2B" not "an intro to F2B". Also ps this other security-related thread:
Question - Security, security and more security!

Therefore if you'd be willing to share with me (and us) some useful (and specific) advice which helps fine-tune Fail2Ban and therefore which helps us deal with this complexity, it would be much appreciated by me and the community.

In your case, at present, we don't use any of the methods that you have posted outside links for, but we do have quite a good history in terms of attacks (apart from maybe IPv6 based attacks ) using other methods.

As per my previous paragraph, I'd be very grateful if you would share some of those methods, please.
For example, I shared some of my custom filters and jails. I also implemented hosts blocks, but I've done it manually. And I would really like to know how more technically savvy admins such as yourself and @trialotto do it automatically and more...elegantly. This is why I created this thread and I asked these questions..

Neither setup could be classed as 'wrong' but there are so many options / variables (and so many opinions!) as to what is best. That might mean, that you need to trial things yourself, on your own server setup (backup / backup / backup ) before your'e 100% happy with the end results. That's what we've tended to do so far...

Indeed many roads lead to Rome, but it would be helpful to know the specifics of at least one good one.

PS: To give you another specific example of what I mean by fine-tuning:
I am planning to integrate AlienVault's OTX Endpoint Security (AlienVault - Open Threat Exchange) into my server. However I am not sure if it plays ball with Plesk and its security config.
I searched the net for any documentation on Plesk and AV OTX Endpoint Sec, but I couldn't find anything. Nothing at all.

Therefore since I do want to continuously integrate advanced security in my server setup, but I'm not planning (yet) to implement a full SIEM, using a neat replacement such as AV OTX ES would be ideal (for me and probably many other admins with small server setups).

However I don't know how this would impact the existing Plesk security setup in 17.8 and the new 17.9.
@IgorG if you're up to date with this, could you please confirm if AlienVault's agent breaks Plesk security or anything at all in Plesk?
I'm much more worried about what I don't know and don't pick up in the logs, than what goes well.
Any help would be much appreciated.
Thank you.

More info on AlienVault OTX Endpoint Security:
New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™

 

[learning_curve]

Fair play @learning_curve for pointing to Alexander's suggestion re IPv6 backport. I voted for it even if I will upgrade to 17.9 shortly after it becomes available. Backport Fail2Ban IPv6 Support to Plesk Onyx 17.x

Great that you have already voted @Ovi but are you saying that you would actively be an early adopter of 17.9.*? That's something that we've not done so far. We've always been a late adopter for reasons related to early unsolved bugs including transition from one release to another. Do a quick search on upgrading 17.5.3 to 17.8.11 It was far from plain sailing for many! That's definately more related to fine tuning and not an intro, as you've rightly posted, especially in terms of security etc

I'm fully aware of the complexity, but this should be obvious from the title of this post being "How to fine-tune F2B" not "an intro to F2B". Also ps this other security-related thread:
Question - Security, security and more security!

Yes a great thread thank you, especially the SSH parts

Therefore if you'd be willing to share with me (and us) some useful (and specific) advice which helps fine-tune Fail2Ban and therefore which helps us deal with this complexity, it would be much appreciated by me and the community.As per my previous paragraph, I'd be very grateful if you would share some of those methods, please. For example, I shared some of my custom filters and jails. I also implemented hosts blocks, but I've done it manually. And I would really like to know how more technically savvy admins such as yourself and @trialotto do it automatically and more...elegantly. This is why I created this thread and I asked these questions. Indeed many roads lead to Rome, but it would be helpful to know the specifics of at least one good one.

There are no secrets to be fair. Plesk related people like @trialotto @IgorG @MarkM @Peter Debik and many other regular forum users have forgotten far more than we'll ever know. We're just a simple Plesk end-user like yourself. Our own methods have nearly always been: Research, read, re-read ask any specific, technical related questions in advance, decide ourselves, apply, test, conclude and then retain or restore the previous server snapshot prior to the test. Brutal maybe, but black and white in terms of test results and unknowns / collateral damage. Quite often, all the the theory in the world won't beat an acid test itself. If you pose a question like; "...good specs for all my Fail2Ban jails..." Then reseach all the existing answers online, guranteed that there will be a dicotomy of answers Hence; ...decide yourself, apply, test, conclude and then retain or restore from backup. The BEST route for Plesk specific technical related questions (in our opinion) is quite often, taking a subscription out with the Plesk Help Centre (unless you already have one via your Server Hosting Company) as forums can be busy / people in different times zones etc. We've always had great sucess there

PS: To give you another specific example of what I mean by fine-tuning:I am planning to integrate AlienVault's OTX Endpoint Security (AlienVault - Open Threat Exchange) into my server. However I am not sure if it plays ball with Plesk and its security config.I searched the net for any documentation on Plesk and AV OTX Endpoint Sec, but I couldn't find anything. Nothing at all.Therefore since I do want to continuously integrate advanced security in my server setup, but I'm not planning (yet) to implement a full SIEM, using a neat replacement such as AV OTX ES would be ideal (for me and probably many other admins with small server setups). However I don't know how this would impact the existing Plesk security setup in 17.8 and the new 17.9.@IgorG if you're up to date with this, could you please confirm if AlienVault's agent breaks Plesk security or anything at all in Plesk? I'm much more worried about what I don't know and don't pick up in the logs, than what goes well. Any help would be much appreciated. Thank you. More info on AlienVault OTX Endpoint Security:New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™

That one ^^ relates to Plesk 17.9.* and AlienVault OTX Endpoint Security both of which we have never used, so we can't even begin to comment in any helpful way at this point in time sorry.

 

[IgorG]

@IgorG if you're up to date with this, could you please confirm if AlienVault's agent breaks Plesk security or anything at all in Plesk?

You will probably be the first person in the world to do this integration. Probably, this is very necessary for you, if for some reason you are not satisfied with the security solutions that we offer in the scope of Plesk. Probably possible problems and steps to eliminate them will be worth what you want to achieve. But I always ask myself why people do not trust those proven solutions that they are offered, but prefer to choose the difficult and unexplored path?

 

[Ovi]

You will probably be the first person in the world to do this integration. Probably, this is very necessary for you, if for some reason you are not satisfied with the security solutions that we offer in the scope of Plesk. Probably possible problems and steps to eliminate them will be worth what you want to achieve. But I always ask myself why people do not trust those proven solutions that they are offered, but prefer to choose the difficult and unexplored path?

@IgorG First of all you seem to have enough technical knowledge to understand that I'm trying to improve Plesk security.
Now if you search the internet for a bit you will find rooted Plesk boxes for sale due to security vulnerabilities either unpatched by Plesk, or by the Plesk admin..
Either way, if one of your clients is trying to contribute to make your products more secure, how would your sarcasm help in this situation?

Second of all, AlienVault's Open Threat Exchange is the world's largest crowd-sourced computer-security platform. And they Open Sourced it for server admins to leverage their knowledge for free.
=> This means we can add a layer of world-class security for FREE to any Plesk server. I genuinely do not understand what you have against it...

 

[IgorG]

I genuinely do not understand what you have against it...

I have nothing against the fact that you write a detailed instruction and share it here Resources | Plesk Forum