Plesk firewall not working

[Chris1]

Hello,

Plesk 12.5 Update #5 on CloudLinux 7.1.

It seems that my Plesk firewall isn't working. I've got an attacker trying to brute force into a clients Wordpress website:

78.142.63.72 - - [16/Oct/2015:10:38:50 +1100] "POST /wp-login.php HTTP/1.0" 200 4405 "-" "-"

It isn't being picked up by Fail2Ban Wordpress Jail, I've tried putting a custom ban into the Plesk Firewall "Deny incoming from 78.142.63.72 on all ports" but the login attempts still continue.

Here is the output from "iptables -L":

Chain INPUT (policy DROP)
target  prot opt source  destination
f2b-plesk-wordpress  tcp  --  anywhere  anywhere  multiport dports http,https,emp  owerid,7081
f2b-plesk-roundcube  tcp  --  anywhere  anywhere  multiport dports http,https,emp  owerid,7081
f2b-plesk-modsecurity  tcp  --  anywhere  anywhere  multiport dports http,https,e  mpowerid,7081
f2b-plesk-login  tcp  --  anywhere  anywhere  multiport dports cddbp-alt,pcsync-h  ttps
f2b-plesk-courierimap  tcp  --  anywhere  anywhere  multiport dports imap,imap3,i  maps,pop3,pop3s
f2b-plesk-dovecot  tcp  --  anywhere  anywhere  multiport dports imap,imap3,imaps  ,pop3,pop3s,sieve
f2b-plesk-postfix  tcp  --  anywhere  anywhere  multiport dports smtp,urd,submiss  ion
f2b-plesk-proftpd  tcp  --  anywhere  anywhere  multiport dports ftp,ftp-data,ftp  s,ftps-data
f2b-recidive  tcp  --  anywhere  anywhere
f2b-SSH  tcp  --  anywhere  anywhere  tcp dpt:ssh
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
REJECT  tcp  --  anywhere  anywhere  tcp flags:!FIN,SYN,RST,ACK/SYN state NEW  reject-with tcp-reset
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere
DROP  udp  --  server1.agrawebhosting.com  anywhere
DROP  tcp  --  server1.agrawebhosting.com  anywhere
ACCEPT  udp  --  anywhere  anywhere  udp dpt:snmp
ACCEPT  tcp  --  anywhere  anywhere  tcp dpts:65000:65534
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:fjicl-tep-a
DROP  tcp  --  anywhere  anywhere  tcp dpt:12443
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:11443
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:11444
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:8447
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:pcsync-https
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:cddbp-alt
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:http
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:https
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:ftp
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:ssh
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:submission
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:smtp
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:urd
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:pop3
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:pop3s
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:imap
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:imaps
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:poppassd
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:mysql
DROP  tcp  --  anywhere  anywhere  tcp dpt:postgres
DROP  tcp  --  anywhere  anywhere  tcp dpt:ogs-server
DROP  tcp  --  anywhere  anywhere  tcp dpt:glrpc
DROP  udp  --  anywhere  anywhere  udp dpt:netbios-ns
DROP  udp  --  anywhere  anywhere  udp dpt:netbios-dgm
DROP  tcp  --  anywhere  anywhere  tcp dpt:netbios-ssn
DROP  tcp  --  anywhere  anywhere  tcp dpt:microsoft-ds
DROP  udp  --  anywhere  anywhere  udp dpt:openvpn
ACCEPT  udp  --  anywhere  anywhere  udp dpt:domain
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:domain
ACCEPT  icmp --  anywhere  anywhere  icmptype 8 code 0
DROP  all  --  anywhere  anywhere

Chain FORWARD (policy DROP)
target  prot opt source  destination
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
REJECT  tcp  --  anywhere  anywhere  tcp flags:!FIN,SYN,RST,ACK/SYN state NEW  reject-with tcp-reset
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere
DROP  all  --  anywhere  anywhere

Chain OUTPUT (policy DROP)
target  prot opt source  destination
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
REJECT  tcp  --  anywhere  anywhere  tcp flags:!FIN,SYN,RST,ACK/SYN state NEW  reject-with tcp-reset
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere
ACCEPT  all  --  anywhere  anywhere

Chain f2b-SSH (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-courierimap (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-dovecot (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-login (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-modsecurity (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-postfix (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-proftpd (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-roundcube (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

Chain f2b-plesk-wordpress (1 references)
target  prot opt source  destination
REJECT  all  --  server1.agrawebhosting.com  anywhere  reject-with icmp-port-unreachable
RETURN  all  --  anywhere  anywhere

Chain f2b-recidive (1 references)
target  prot opt source  destination
RETURN  all  --  anywhere  anywhere

The reverse name for 78.142.63.72 is server1.agrawebhosting.com and it appears to be blocked in iptables but they still seem to be able to make login attempts every second to my server.