• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Make recidive in fail2ban more efficient

Bossman

Basic Pleskian
I want to make my recidive efficient in a way i could ban returning hackers which try to bruteforce postfix.

I observe that hackers have thousands of servers over the whole world so thinking of a way to ban most of them, so maybe i could use fail2ban + geoIP and ban half of the world (but i did not found any solution to implement banning that way in plesk), so such logic is not bad if you have clients that reside in 3-5 countries and you allow smtp auth to that countries and deny all other., but to the topic...

I was configuring recidive, postfix, dovecot jails and changed some fail2ban logrotate periods, but i could not find some info that is important to understand logic behind fail2ban, please let me to understand:

1. Recivide jail takes IP from fail2ban.log, so if i set recidive to block IP for 60 days
a: I would need to extend fail2ban.log, so log will not rotate for 60 days, right ?, as default log rotates each week and there will be 7 compressed logs. I have changed now to rotate monthly with 12 rotates.
b: So i assume that fail2ban check only first log, not the rotated gz logs, right ?

2. If i set recidive jail to block IP after 2 failures - It means: before recidive would block IP - that IP need to be banned two times in different jail/jails, is that right ?
3. Postfix jail - If i set postfix jail to block IP for 15 days, how that will influence recidive jail ?, does it really matter ?, is there need to setup such long time in other jails like postfix ?
4. Is there any limit of IP being banned in Plesk firewall ?, i know plesk uses IPTABLES module, but i could not find how many IP's could be banned, to not to overfill anything there.
5. There is on internet solution called repeat offender, but i am not sure it would not overlap with recidive jail ?
 
1a -> no need to change rotation, read about the settings: bantime, findtime, maxretry
1b -> fail2ban reads the log which is defined in jails logpath, for the recidive jail /var/log/fail2ban.log will be used
2 -> yes it means recidve will ban ip based on the log entrys matching bantime, findtime, maxretry
3. -> such long block time should not be needed, if it is an repeating offender he will by chached up by the recidive jail
4. it depends on your system and resources, if you are worry about the amount of blocked ip´s then you can set up the jails with ipset,

read also:
Using Fail2ban to Secure Your Server - A Tutorial
Optimising your Fail2Ban filters | The Art of Web
Protection Against Brute Force Attacks (Fail2Ban)
Fail2Ban Jails Management
 
Last edited:
Brujo, thank you for your time and answers.
Do IPset can be easy way implemented in plesk ?
Is 300 Ip's in fail2ban big amount ?
 
Back
Top