• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Question Over 3,000 blocked IPs due to "plesk-apache-badbot"

R

Ricardo Capistran

New Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.71 Update #2 Web Host Edition
Is there any reason why I suddenly have over 3,000 blocked IPs due to "plesk-apache-badbot"?

I normally hover between 40 and 90, but it suddenly went way up... and several IPs are local, from my city.

Is this normal?
 
Ricardo Capistran said:
Is there any reason why I suddenly have over 3,000 blocked IPs due to "plesk-apache-badbot"?

I normally hover between 40 and 90, but it suddenly went way up... and several IPs are local, from my city.

Is this normal?
Click to expand...
Sadly, such a high number of blocked IP is not unusual. It kinda depends on how many websites you host, how much traffic they have and what other (security) measures you've taken to filter traffic. In my opinion having only 40 to 90 blocked IP's is quite low.

If you feel (some) IP's are falsely blocked by the plesk-apache-badbot jail, you can cross reference the IP with the access logs to see which bots where used to access your site(s) and remove the bot from fail2ban filter.

To search trough the access logs of all domains, including already rotated logs, you can use zgrep, like:
Bash: 
zgrep "123.123.123.123" /var/www/vhosts/system/*/logs/*
 
Ricardo Capistran said:
Is there any reason why I suddenly have over 3,000 blocked IPs due to "plesk-apache-badbot"?

I normally hover between 40 and 90, but it suddenly went way up... and several IPs are local, from my city.

Is this normal?
Click to expand...

@Ricardo Capistran

It is as @Kaspar has already stated : it is not unusual.


Nevertheless, one should take notice of the context that applies.

Let me explain.


If and whenever using only Fail2Ban, a count of 3000 banned IPs is certainly not abnormal, not at all!

In fact, Fail2Ban discards some banned IPs after a pre-defined time, implying that the actual count can be and often is much higher than 3000.


If and whenever using Fail2Ban with other countermeasures, like

- Plesk Firewall, for instance with country blocks and or CIDR range blocks, (and/or)
- the so-called DENY entries in Nginx config files, (and/or)
- the entries in /etc/hosts.deny file, (and/or)
- most importantly, a good Web Application Firewall (WAF),

a count of 3000 banned IPs for plesk-apache-badbot would really be abnormal!


The fact that you have 3000 banned IPs is a strong indication that you do not have other "countermeasures" in place.


I strongly recommend that you configure and fine-tune other countermeasures that combat bad or malicious traffic.

After all, Fail2Ban is not the only method to prevent bad / malicious and certainly not the best method - Fail2Ban is resource hungry!

Just try to implement / configure / optimize the Plesk Firewall first, then use Nginx as a proxy and then proceed with the remainder (see above).


I hope the above helps a bit!

Kind regards....
 
You must log in or register to reply here.

Similar threads

A
Question Fail2Ban capture and ban IP, connection still being made
Replies
8
Views
3K
Bitpalast
Bitpalast
B
Issue "Allow local MariaDB/MySQL server to accept external connections" unchecked after every MariaDB update
Replies
7
Views
2K
Bitpalast
Bitpalast
majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
2K
Raul A.
R
J
Question Plesk webserver does block the access to website when computer is connected via VPN
Replies
2
Views
1K
jmar83
J
J
Issue Default plesk-apache-badbot fail2ban doesn't work
2
Replies
21
Views
9K
Kaspar
K
Back
Top