Resolved Plesk 12.5.30 + CentOs7 + Fail2Ban jail "recidive" = 502 Bad Gateway nginx

[Antonio Volpe]

After the last update # 41 the jail "recidive" generates the error "502 Bad Gateway nginx" blocking access to websites. To allow access to sites I had to disable the jail. Have you any suggestions to reactivate it without incurring the error 502?

 

[UFHH01]

Hi Antonio Volpe,

such issues can appear, when your website coding is inadequate and leads to missing images, non-existent links and so on.
But to inform you, it is NOT the "recidive" jail, which is blocking IPs for "bad behaviour" of your visitor - it's for example the jail "apache-nohome.conf", with failregex - expressions, as for example:

...
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*

ignoreregex =
...

Example:
Let's assume, that you coded your website to serve "favicon", with the URL "https//www.YOUR-DOMAIN.COM/favicon.ico", but your icon is not existent at this URL, then visitors will get punished for this inadequate coding, because YOU directed them with your website - code to ask for a icon at the above path, but each time your visitor request the file, your webserver doesn't serve the icon with the answer "File does not exist" ( Pls. see your domain - specific log - files for such issues/problems/errors - so you can correct your inadequate coding! ).
As you can see, Fail2Ban doesn't do anything wrong here, it just bans IPs, with the filters, that YOU define. The "recidive" - jail just bans "returning" IPs, so when Fail2Ban recognizes a returning IP, which get banned again and again, then it will ban this specific IP for a longer time now ( as defined in your jail! ). The "recidive" - jail monitors your "fail2ban.log" and not any webserver - log - files.

 

[Sergio Manzi]

Hello UFHH01,

sorry for dropping in, but after reading your answer I got concerned about something like this happenning to me as well, so I've looked at my ip2ban jails and filters and I didn't find a rule like the one you cited (btw, I have updated to #41 too before checking).

To be honest I think it would be an abomination to ban anybody for triggering "404"s (unless we are talking about hundreds of them by the second).

Can you please confirm that such a rule does not exists in Plesk standard configuration?

TIA, Sergio.

 

[UFHH01]

Can you please confirm that such a rule does not exists in Plesk standard configuration?

Sure... this is absolutely "confirmed".

I just wanted to describe, what the root cause of this issue might be, so I pointed out a jail from the official Fail2Ban github repo: https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/apache-nohome.conf
Often enough, people activate all existent jails ( even those which are not inspected! ) and find themselve in situations as described.

Plesk standard jails are named with "plesk-" at "/etc/fail2ban/filter.d".

 

[Sergio Manzi]

Perfect, thanks!

 

[Antonio Volpe]

Hi UFHH01,
I first of all thank you for the answer. I just want to point out that the jail "recidive" of the error 502 not only on sites that have no picture but also empty index.html:
<html>
<Head>
<Title> Untitled </ title>
</ Head>
<Body> </ body>
</ Html>)
or in the placeholder pages of plesk.
However I am comforted to know that those to whom I owe sytare careful jails are named with "plesk-.
Thanks!