• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Imunify360 or fail2ban PLEASE give me your input

michaeljoseph01

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
18.0.51
I have a new site up, a work in progress and I'm already seeing tons of malicious traffic. I went from relying on mod_security and fail2ban to installing imunify360 because of how much hype I saw online. Now, i'm how different Imunify360 works compared to fail2ban and I'm not convinced its better, at least for my setup. It doesn't utilize "jails", so no matter how many times a malicious client tries to brute force into ssh, or wp-login, or probe for xmlrpc vulnerabilities, or any other clearly malicious behavior - they can come back again and again and I see all these requests in the logs drowning out legitimate traffic.

I emailed Imunify support about this:
----
I just installed Imunify360 and am trying to understand these filtering rules. I've attached a screenshot that shows I'm having dozens of malicious events in a span of minutes by a small number of IP's, yet there is not one IP in the blacklist yet? When using fail2ban, I could determine how many times an IP offended before they were totally banned for whatever length of time I choose. Where is the equivalent configuration here? It's still sapping server resources by handling these requests one by one, why are none of these bad actors ending up on a permanent drop list and able to come back again and again to probe different parts of the attack surface??
----

The response I got:
----
Hi Michael,

All of the IP addresses on your screenshot were blocked: the ones in a blue bubble were blocked by the active response feature on the fly, without adding to any lists due to the way how the feature works, and the ones in the gray bubble were graylisted, i. e. served captcha before allowing access to the actual sites.

Permanent blocking brings high risks of false-positives and we never do this automatically - we limit accesses in a smart and sophisticated ways with the help of gray list, heuristics on the central server, WAF, and the on-the-fly blocking features - active response and PAM.

Permanent list is available only for manual blocking, and the automatic blockings are implemented via the gray list, to avoid false-positives, as there has to be a balance between security and usability.
----

From my view, if I see someone with clearly malicious intent, I'm not going to continue to allow them to come back to probe other areas, or even the same area over and over and over again. I can totally see how this tradeoff would be necessary if you're running absolutely critical services, but for a website with no users yet this seems ludicrous to allow this resource-intensive firewall to keep sapping memory, cpu cycles and log entries dealing with the kind of traffic that in my eyes should be stopped at the front gate.


What do other people think, or use??? I can't be the only one fretting about malicious traffic, seeing how my site doesn't even have any backlinks yet and I'm already seeing the logs filling up with the probing of bad actors.
 
Customers often come to me for help when Fail2Ban has banned them or their customers from accessing Plesk, their websites, or some other service. I just had to help someone whitelist an innocent IP address that was recently banned by Fail2Ban.

These services don't know what kind of site you're running. Web technologies can get very complicated and end up triggering false positives without fine-tuning. Imunify360 prevents locking out legitimate people and keeps the server both secure and usable, but requires more resources as a trade-off. If low resource usage is more important to you, Fail2Ban is better. If resources are not an issue, Imunify360 is preferable.

That said, I use Fail2Ban on my personal server. Like you, I prefer the way it does things and also appreciate the simplicity and ease of use.
 
Customers often come to me for help when Fail2Ban has banned them or their customers from accessing Plesk, their websites, or some other service. I just had to help someone whitelist an innocent IP address that was recently banned by Fail2Ban.

These services don't know what kind of site you're running. Web technologies can get very complicated and end up triggering false positives without fine-tuning. Imunify360 prevents locking out legitimate people and keeps the server both secure and usable, but requires more resources as a trade-off. If low resource usage is more important to you, Fail2Ban is better. If resources are not an issue, Imunify360 is preferable.

That said, I use Fail2Ban on my personal server. Like you, I prefer the way it does things and also appreciate the simplicity and ease of use.
Shall I disable Fail2Ban when installed Imunify360 or it's automatticly will switch.
 
Fail2Ban is a separate service and does not need to be deactivated. You can keep it running along with Immunify360.
 
Immunify360 automatically disables Fail2Ban when you install it, as according to CloudLinux (makers of Immunify360), the two are NOT compatible with each other and will cause issues.

I have Immunify360 installed on my server and during installed it disabled Fail2Ban, so I removed Fail2Ban, as Immunify360 handles all that Fail2Ban did and more.
 
Immunify360 automatically disables Fail2Ban when you install it, as according to CloudLinux (makers of Immunify360), the two are NOT compatible with each other and will cause issues.

I have Immunify360 installed on my server and during installed it disabled Fail2Ban, so I removed Fail2Ban, as Immunify360 handles all that Fail2Ban did and more.
thats what i want to know, thye are syaing not related but somehow i found Fail2Ban disbaled once installed I360., thank you
 
Back
Top