• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question IP address banning (Fail2ban)

Trung Ma

New Pleskian
Dear. Plesk Support,

I have 2 cases, and I need your recommendation.
1. I'm using Fail2ban to protect against brute-force attack. It's working well. But I always receive the notification email inform some IP address always try attack after it unbans the IP Address from Fail2ban.
I want it will be banned depending on the number of times ( meaning, default it will block 7 days for the first time, 14 days for the second time, 30 days for the third time, ... )

2. I have more than 10 Plesk servers, and some IP will be brute-force for all my Plesk. Do we have any ideas to check it, if they attack for 3-5 servers, we will automatic update that IP to IP banned address on the remaining servers?

Thanks & Regards,
Trung Ma
 

Attachments

  • fail2ban.PNG
    fail2ban.PNG
    45.6 KB · Views: 6
Hi Trung Ma,

Dear. Plesk Support,
Sorry, but the Plesk Community Forum is not the official Plesk support. If you desire to reach the official Plesk support, pls. visit:


... and choose one of the options: Submit a ticket / Take a professional service / Start chat


If you still desire answers from the Plesk Community Forum, here are some suggestions to your questions:

I want it will be banned depending on the number of times ( meaning, default it will block 7 days for the first time, 14 days for the second time, 30 days for the third time, ... )
This goal can be reached with the usage of a "recidive" - jail for example.

Further informations can be found at:

=> Question - Fail2Ban recidive: how it work ?
=> #8


Do we have any ideas to check it, if they attack for 3-5 servers, we will automatic update that IP to IP banned address on the remaining servers?
My first thought here is to extract the banned IPs from server 1 ( only the ones banned with a recidive jail for example ) from the "/var/log/fail2ban.log" and send these extracted IPs with an hourly crontab to your servers 2-10 ( could be done with rsync for example over a ssh - connection ). You could then add these IPs with an additional "iptables" - command.

But ( !!! ) this sort of usage is something that you should overthink, as your banned IPs may grow to a quite enormous list, which is actually regulated when you use the mentioned "recidive jail" instead. Only the IPs that really repeated their offensive behaviour on a specific server are being banned for the defined bantime at this "recidive jail" and you don't have to ban additional IPs, which didn't even reach your server. ;)
 
Back
Top