• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Input plesk fail2ban missing some important filter rules

P

PeterKi

Regular Pleskian
Server operating system version
Ubuntu 22.04.3 on strato vServer
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition Version 18.0.56
Looking at the server logs of my Ubuntu 22.04 system with Plesk obsidian 18.0.56 I found many entries which are not covered by the plesk jails.
The most frequent of these are apache 404 and postfix errors.
The plesk developers eventually should take a deeper look at server logs and add filters for the most frequent failing access attempts.
I have added 3 filters for the entries metioned above, but I would expect that plesk fail2ban rules cover those frequent access attempts by default.
The filters I suggest are:

apache404
[Definition]
failregex = <HOST> - .* "(GET|POST|HEAD).*HTTP.*"\s404\s
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

postfix-sasl
[Definition]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed([\s\w+\/:]*={0,4})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$

postfix-ssl
[Definition]
failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]
ignoreregex =
 
Hi in my opinion blocking Apache's 404 errors using fail2ban might it could lead to unintended consequences if its enabled by default

Many websites feature numerous 404 pages, often not indicative of an attack. It's crucial to handle this issue delicately—blocking access to crawlers such as Google and Bing can lead to unintended consequences.

Consider this scenario: if I link your website to several 404 URLs using follow links, certain crawlers will detect these links and attempt access. Consequently, you might end up blocking Googlebot IPs, causing your website to vanish from Google's index or triggering SEO complications.
 
Sorry for not being precise enough.
I did not mean that a filter for 404 errors should be enabled by default, but should be supplied by Plesk.
It is then up to the user to enable it or not.
Also, I think crawlers that do not obey pages excluded by a robots.txt should be banned.
 
You must log in or register to reply here.

Similar threads

S
Issue Filter for plesk-wordpress jail does not work, any ideas?
Replies
1
Views
356
AYamshanov
AYamshanov
J
Issue Default plesk-wordpress fail2ban doesn't work
Replies
6
Views
858
Peter Debik
P
P
Input Enhancement suggestions for Plesk's fail2ban filters
Replies
1
Views
1K
Maarten
M
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
1K
Bitpalast
Bitpalast
Z
Resolved How to recognize fail2ban filter
Replies
6
Views
2K
Zoo3
Z
Back
Top