Resolved Problem tuning fail2ban

[SalvadorS]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.61

Hello,

I found a very nice article in plesk blog to block badbots with fail2ban. I have problems with ClaudeBot who is hitting the server all the time.

The problem is that I have some problems with the article.

First I edited /etc/fail2ban/filter.d/apache-badbots.conf as requested adding the line:

badbots = ClaudeBot|ClaudeBot/1\.0

As I want to block this bot only (as a test)

and then reload:

fail2ban-client reload plesk-apache-badbots

But I have an error:

2024-05-30 17:33:30,944 fail2ban [1464544]: ERROR Failed during configuration: No section: 'plesk-apache-badbots'

If you don´t tuch anything (in another server) and reload I received the same error.

So I checked again the file /etc/fail2ban/jail.local as the article say and the section in the file is called:

[plesk-apache-badbot]

And not

[plesk-apache-badbots]

(note the s)

So I added the lines under [plesk-apache-badbot] and restart:

fail2ban-client reload plesk-apache-badbot

Without an s. All ok now (it seems the article have this error), but when I test the filter:

fail2ban-regex /var/www/vhosts/domain.com/logs/access_ssl_log /etc/fail2ban/filter.d/apache-badbots.conf

The result is:

Lines: 7163 lines, 0 ignored, 0 matched, 7163 missed


So no line is checked...

So I can´t block the bot in the server. Any ideas?

 

[AYamshanov]

Have you tried to manage jails and filters with Plesk GUI? (Plesk for Linux) Fail2Ban Jails Management

I have tried it on my server, it applies without any errors. This is probably the easiest way to tune the filter.

 

[SalvadorS]

Yes, you are right. It's exactly what I did and works!

If someone needs this in the future this is the filter I used to stop the bot:

[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
badbots = ClaudeBot|ClaudeBot/1\.0|DataForSeoBot/1\.0|claudebot
failregex = ^(?:\[[^\]]*\] )?<ADDR> [^"]*"[^"]*" \d+ \S+ "[^"]*" "[^"]*(?:%(badbots)s|%(badbotscustom)s)[^"]*"$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}

I will tune in in the future, but now claudebot is stopped (houndred of IPs....)

 

[martinez.marcias@gmai]

Hi

I have a plesk server in which I also have Asterisk VOIP installed. Everything is working. However, I am trying to use fail2ban within Plesk to capture and drop IPs. I have the correct jail but instead of dropping the IP (DROP) its just REJECT ing them in IPTABLES

This is my action:
action = iptables-multiport[chain="INPUT", name="default", port="ssh", protocol="tcp", action="DROP", returntype="RETURN", lockingopt="-w"]

Anyone can provide guidance on how I get the action to do this:

iptables -A INPUT -s [IP] -j DROP

It seems that REJECT is not harsh enough.

Thanks in advance,

 

[La Linea]

"action = iptables-multiport[chain="INPUT", name="default", port="ssh", protocol="tcp", action="DROP", returntype="RETURN", lockingopt="-w"]"

Since you haven't posted the complete config for that jail, it's difficult to say what else might be wrong, but it's at least not action="DROP" but blocktype="DROP".

 

[nisamudeen97]

How to Avoid High CPU Load & Block Bad Bots with Plesk - Plesk

Learn how to effectively reduce CPU usage and keep bad bots and hackers away from your websites using Plesk Cgroups Manager and Fail2Ban.

www.plesk.com

Perfect post, I reached here in search of fixing for tweaking fail2ban