Chris1
Regular Pleskian
Hello,
Plesk 12.5 Update #5 on CloudLinux 7.1.
It seems that my Plesk firewall isn't working. I've got an attacker trying to brute force into a clients Wordpress website:
It isn't being picked up by Fail2Ban Wordpress Jail, I've tried putting a custom ban into the Plesk Firewall "Deny incoming from 78.142.63.72 on all ports" but the login attempts still continue.
Here is the output from "iptables -L":
The reverse name for 78.142.63.72 is server1.agrawebhosting.com and it appears to be blocked in iptables but they still seem to be able to make login attempts every second to my server.
Plesk 12.5 Update #5 on CloudLinux 7.1.
It seems that my Plesk firewall isn't working. I've got an attacker trying to brute force into a clients Wordpress website:
Code:
78.142.63.72 - - [16/Oct/2015:10:38:50 +1100] "POST /wp-login.php HTTP/1.0" 200 4405 "-" "-"
It isn't being picked up by Fail2Ban Wordpress Jail, I've tried putting a custom ban into the Plesk Firewall "Deny incoming from 78.142.63.72 on all ports" but the login attempts still continue.
Here is the output from "iptables -L":
Code:
Chain INPUT (policy DROP)
target prot opt source destination
f2b-plesk-wordpress tcp -- anywhere anywhere multiport dports http,https,emp owerid,7081
f2b-plesk-roundcube tcp -- anywhere anywhere multiport dports http,https,emp owerid,7081
f2b-plesk-modsecurity tcp -- anywhere anywhere multiport dports http,https,e mpowerid,7081
f2b-plesk-login tcp -- anywhere anywhere multiport dports cddbp-alt,pcsync-h ttps
f2b-plesk-courierimap tcp -- anywhere anywhere multiport dports imap,imap3,i maps,pop3,pop3s
f2b-plesk-dovecot tcp -- anywhere anywhere multiport dports imap,imap3,imaps ,pop3,pop3s,sieve
f2b-plesk-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submiss ion
f2b-plesk-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftp s,ftps-data
f2b-recidive tcp -- anywhere anywhere
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP udp -- server1.agrawebhosting.com anywhere
DROP tcp -- server1.agrawebhosting.com anywhere
ACCEPT udp -- anywhere anywhere udp dpt:snmp
ACCEPT tcp -- anywhere anywhere tcp dpts:65000:65534
ACCEPT tcp -- anywhere anywhere tcp dpt:fjicl-tep-a
DROP tcp -- anywhere anywhere tcp dpt:12443
ACCEPT tcp -- anywhere anywhere tcp dpt:11443
ACCEPT tcp -- anywhere anywhere tcp dpt:11444
ACCEPT tcp -- anywhere anywhere tcp dpt:8447
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:postgres
DROP tcp -- anywhere anywhere tcp dpt:ogs-server
DROP tcp -- anywhere anywhere tcp dpt:glrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-courierimap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-login (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-modsecurity (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-roundcube (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-wordpress (1 references)
target prot opt source destination
REJECT all -- server1.agrawebhosting.com anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Chain f2b-recidive (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The reverse name for 78.142.63.72 is server1.agrawebhosting.com and it appears to be blocked in iptables but they still seem to be able to make login attempts every second to my server.
Last edited: