Question Plesk Admin - Bad Bot protection

[Alban Staehli]

Server operating system version

AlmaLinux 8.10 (Cerulean Leopard)

Plesk version and microupdate number

18.0.68 Update #2

Hi,

I see many attempts of connection from user agent Go-http-client, within short period of time to the Plesk Admin panel, seem to be a bad bot.
Requests show up in the following log file: /var/log/plesk/httpsd_access_log
This usually triggers same time the following alert - "The threshold of Apache & PHP-FPM memory usage has been exceeded", which is well documented here How to Avoid High CPU Load & Block Bad Bots with Plesk.

While fail2ban is well configured for Apache & Nging hosted domains, and according to previours Plesk page on banning bad bot, with up to 8000 IPs now being banned, I don't think that Plesk Panel itself log files are checked by fail2ban.

Am I correct? If yes, how to prevent specific user-agent to access Plesk Panel? Any Nginx conf file?
Or any better approach to protect Plesk Admin panel?

Thanks.

 

[Raul A.]

Those requests are normal. It's not a bad bot.
What is the IP address on those requests?

You can firewall the Plesk port or install the MFA extension for additional protection.

 

[Azurel]

Those requests are normal. It's not a bad bot.

Why not? Thats for primary crawling. I check User-Agents and "Go-http-client" is one of them that get a "403" and fail2ban will ban it.

 

[Kaspar]

Am I correct?

Looks like you're right. The /var/log/plesk/httpsd_access_log log file isn't used/monitored by any of the default fail2ban jails in Plesk. You can simply add the log to the plesk-apache-badbot jail if you like, so that fail2ban can use the log file too.

If yes, how to prevent specific user-agent to access Plesk Panel? Any Nginx conf file?

You can add any additional user-agent to the plesk-apache-badbot filter to get banned by fail2ban. Note that "Go-http-client" is the default user agent from the GO HTTP client package. This isn't necessarily a bad bot, the package get used by a lot of bad scrapers and crawlers, but also by many legitimate services (for example to perform API calls).

Or any better approach to protect Plesk Admin panel?

I posted a custom jail here you can use block failed http requests to the Plesk server. In conjuncture with the steps mentioned above this would harden the protection of Plesk a bit. But to significantly improve security this an excellent suggestion:

You can firewall the Plesk port or install the MFA extension for additional protection.

 

[Alban Staehli]

Looks like you're right. The /var/log/plesk/httpsd_access_log log file isn't used/monitored by any of the default fail2ban jails in Plesk. You can simply add the log to the plesk-apache-badbot jail if you like, so that fail2ban can use the log file too.

Thanks @Kaspar, this is exactly what I was after.

While Go-http-client may be default user agent of the GO HTTP client package, any PROD ready code using it shall rename the user agent accordingly - looking at the heavy amount of connections generated from multiple IPs with this user agent, preference is to block and whitelist any exception along the way when required.

I posted a custom jail here you can use block failed http requests to the Plesk server. In conjuncture with the steps mentioned above this would harden the protection of Plesk a bit. But to significantly improve security this an excellent suggestion:

This is great - need to first monitor the error log file, and then will check for its implementation.

You can firewall the Plesk port or install the MFA extension for additional protection.

This is in place - the objective here is more relating to bots and perf impact, rather than additional protection.