Facebook
Twitter
Azurel
Silver Pleskian
Username: Azurel
TITLE
Plesk fail2ban jails and iptables not working correctly [SECURITY ISSUE?]
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
CentOS Linux 8.2.2004, Plesk Obsidian Version 18.0.30 Update #2
PROBLEM DESCRIPTION
Plesk shows in GUI banned IPs, but many of this IPs are not blocked in iptables.
I have take a look in iptables -L -n and ip6tables -L -n
Here are missing nearly 100 banned IPs, which exists in plesk.
f2b-plesk-modsecurity have in iptables 1 address, but in plesk 2 addresses (0 addresses in ip6tables)
f2b-recidive have in iptables 35 addresses, but in plesk 65 addresses (2 addresses in ip6tables)
2b-banned-servers have in iptables 10 addresses, but in plesk 119 addresses (1 address in ip6tables)
f2b-default have in iptables 3 addresses, and in plesk 3 addresses. This is the only one that is correct.
I have take a look in f2b-banned-servers logfile that the last entries in this file
- ipv4 159.255.169.130 is missing in iptables, but exists in plesk (this ip exists 3 times in logfile in last 2 months, because its not banned anymore, although the ban lasts 180 days.)
- ipv6 2003:c6:9738:f200:19c3:c87f:d48f:3a72 is in ip6tables
This file have 119 entries, all IPs are in plesk, but only 10 are blocked.
The "IP address ban period" for this jail is "15552000", thats 180 days. I can see that this fake blocked IPs request pages with http status code 200.
New banned ips are added. Is it possible that the "IP address ban period" is evaluated differently here and thus the IP is removed too earlier in iptables or another jail free this ips?
This data above are from tuesday. Today its WORST...
- f2b-banned-servers have 128 IPs in plesk and iptables show for this jail nothing.
- f2b-plesk-postfix have 6 IPv4s in plesk, but only 4 in iptables. (this 4 IPs are from today)
- f2b-default have have 4 IPs in plesk, but nothing in iptables.
- f2b-recidive have have 62 IPs in plesk, but nothing in iptables.
STEPS TO REPRODUCE
see description
ACTUAL RESULT
Plesk shows many Ips, which are not really banned.
EXPECTED RESULT
Plesk and iptables should match
ANY ADDITIONAL INFORMATION
Nothing self-installed, this system have iptables and firewalld.
# iptables -L -n
# firewall-cmd --check-config
# firewall-cmd --permanent --get-ipsets
Shows me only my own IPSets for custom blocked IPs. There are no plesk IPSets.
I have a script that weekly remove my custom IPSets and create it again by file. With "firewall-cmd --reload" its update all IPSets.
Weekly starts cronjob "50plesk-weekly". Is there somthing that change iptables? Its look like that weekly the iptables is cleared? All exists IPs have disappeared from this friday.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Plesk fail2ban jails and iptables not working correctly [SECURITY ISSUE?]
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
CentOS Linux 8.2.2004, Plesk Obsidian Version 18.0.30 Update #2
PROBLEM DESCRIPTION
Plesk shows in GUI banned IPs, but many of this IPs are not blocked in iptables.
I have take a look in iptables -L -n and ip6tables -L -n
Here are missing nearly 100 banned IPs, which exists in plesk.
f2b-plesk-modsecurity have in iptables 1 address, but in plesk 2 addresses (0 addresses in ip6tables)
f2b-recidive have in iptables 35 addresses, but in plesk 65 addresses (2 addresses in ip6tables)
2b-banned-servers have in iptables 10 addresses, but in plesk 119 addresses (1 address in ip6tables)
f2b-default have in iptables 3 addresses, and in plesk 3 addresses. This is the only one that is correct.
I have take a look in f2b-banned-servers logfile that the last entries in this file
What I can see is the same ips (reverse) in iptables
- ipv4 159.255.169.130 is missing in iptables, but exists in plesk (this ip exists 3 times in logfile in last 2 months, because its not banned anymore, although the ban lasts 180 days.)
- ipv6 2003:c6:9738:f200:19c3:c87f:d48f:3a72 is in ip6tables
This file have 119 entries, all IPs are in plesk, but only 10 are blocked.
The "IP address ban period" for this jail is "15552000", thats 180 days. I can see that this fake blocked IPs request pages with http status code 200.
New banned ips are added. Is it possible that the "IP address ban period" is evaluated differently here and thus the IP is removed too earlier in iptables or another jail free this ips?
This data above are from tuesday. Today its WORST...
- f2b-banned-servers have 128 IPs in plesk and iptables show for this jail nothing.
- f2b-plesk-postfix have 6 IPv4s in plesk, but only 4 in iptables. (this 4 IPs are from today)
- f2b-default have have 4 IPs in plesk, but nothing in iptables.
- f2b-recidive have have 62 IPs in plesk, but nothing in iptables.
STEPS TO REPRODUCE
see description
ACTUAL RESULT
Plesk shows many Ips, which are not really banned.
EXPECTED RESULT
Plesk and iptables should match
ANY ADDITIONAL INFORMATION
Nothing self-installed, this system have iptables and firewalld.
# iptables -L -n
# firewall-cmd --check-config
# firewall-cmd --permanent --get-ipsets
Shows me only my own IPSets for custom blocked IPs. There are no plesk IPSets.
I have a script that weekly remove my custom IPSets and create it again by file. With "firewall-cmd --reload" its update all IPSets.
Weekly starts cronjob "50plesk-weekly". Is there somthing that change iptables? Its look like that weekly the iptables is cleared? All exists IPs have disappeared from this friday.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
Last edited:
