Issue How to properly configure Fail2Ban for ModSecurity in Plesk with NGINX?

[Jürgen_T]

Server operating system version

Ubuntu 22.04.5 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.67 Update #3

Hello everyone,

I have successfully installed ModSecurity with NGINX on my Plesk server. Now, I want to use Fail2Ban to permanently block IPs of attackers that ModSecurity identifies.

However, after installation, I noticed that the configuration files for ModSecurity were missing in Fail2Ban. Additionally, the plesk-modsecurity service could not be activated.

Could someone provide the original content of the Plesk Fail2Ban configuration files for ModSecurity? I would like to restore them and ensure they work correctly with my NGINX setup.

Thanks in advance!

 

[Kaspar]

Jail

[plesk-modsecurity]
enabled = true
filter = plesk-modsecurity
action = iptables-multiport[name="plesk-modsecurity", port="80,443,7080,7081", protocol="tcp,udp"]
logpath = /var/log/modsec_audit.log
maxretry = 4

Filter

[Definition]
failregex = ^(?:\[.*?\]\s\S*)\s<HOST>\s
ignoreregex = ^\[.*?\]\s\S*\s<HOST>\s.*\s\1
    collection_store
    collections_remove_stale

 

[Jürgen_T]

Thank you for your quick response! Unfortunately, Fail2Ban didn’t work because it couldn’t find any IPs in the ModSecurity audit log files, and ModSecurity itself stopped logging unexpectedly. As a result, I had to remove it again. Additionally, switching from the selected Apache rule set (2.9) to my proxy NGINX rule set (3.0) didn’t work either. I’ll give ModSecurity another try once it proves to be more stable in my environment.

 

[klodoma]

@Kulturmensch

Off topic, but DID YOU managed to get Nginx work with ModSecurity? I set it up, see the setup and all is in there, but there is no filtering, reporting, blocking or whatsoever.

 

[Jürgen_T]

Off topic, but DID YOU managed to get Nginx work with ModSecurity? I set it up, see the setup and all is in there, but there is no filtering, reporting, blocking or whatsoever.

Unfortunately, not yet. The first time I tried it, it worked for a short time, but then ModSecurity stopped logging, and after uninstalling it, NGINX also stopped working, so I had to run my websites on Apache for a while. The second time I tried it, a month ago, it worked better, and ModSecurity worked for a while, but when I tried to secure ModSecurity with fail2ban, it stopped logging again, so I had to uninstall it again. This is the current status.

 

[klodoma]

Unfortunately, not yet. The first time I tried it, it worked for a short time, but then ModSecurity stopped logging, and after uninstalling it, NGINX also stopped working, so I had to run my websites on Apache for a while. The second time I tried it, a month ago, it worked better, and ModSecurity worked for a while, but when I tried to secure ModSecurity with fail2ban, it stopped logging again, so I had to uninstall it again. This is the current status.

Thanks for the feedback. This is no good news for Nginx with ModSecurity.