Issue Multiple Failed Login Attempts via Plesk GUI

othmaqsa

Regular Pleskian
Server operating system version
Ubuntu 22.04.4 LTS
Plesk version and microupdate number
Version 18.0.69
Hello,

I've seen many logs like:
[Action Log] Failed login attempt with login 'root' [Action Log] Failed login attempt with login 'admin'

These login attempts are coming through the Plesk GUI. Is there any way to stop this?

Thanks.
 
Enable Fail2ban and make sure plesk-panel is enabled. Make sure to add your IP address to the trusted IP address list so you don't lock yourself out.
 
Enable Fail2ban and make sure plesk-panel is enabled. Make sure to add your IP address to the trusted IP address list so you don't lock yourself out.
I'm using Imunify360, which has disabled Fail2Ban. Should I be worried?
 
Imunify360 does not work with Fail2Ban but I think Imunify360 should has similar feature sets, you just need to look for it (sorry, I'm not familiar with it myself, hopefully someone else here can point you to the settings to enable that option).
 
I'm seeing this as well, one IP from a hosting provider known for bad actors, trying over and over:
Code:
[Action Log] Failed login attempt with login 'root' from IP x.x.x.x

My query is becasue...
  1. Yes, Fail2Ban and the plesk-panel jail are enabled, but it's low rate but endless
  2. More importantly, in the Plesk firewall 'Plesk administrative interface' (I presume as it does not say, :8443) and the HTTP/3 equivalent are set to 'Allow from selected sources, deny from others' with only my on static IP permitted
So, Fail3Ban isn't kicking in due to the low attempt rate, but I don't understand how this gets through at all give the firewall config.

Looking back through the log, this agent has been retrying for weeks, and in the past 2 weeks is the only IP attempting this, suggesting the firewall (IP tables) are active, else I'd expect a whole lot more activity, however, a quick grep and count by IP a couple of hundred different IPs, all recording this failed root login to the panel UI, all the while with the firewall set to only permit my IP. Can you explain? What am I missing? How can any IP not on the panel permit list be clocking up these login failures?
 
Back
Top