• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue UFW turned off and Fail2Ban suddenly completely missing from Plesk Panel -- Very Concerning

R

regenix

New Pleskian
Server operating system version
Ubuntu 22.04 x64
Plesk version and microupdate number
Plesk Obsidian 18.0.65 Update 1
Logged in after a couple weeks to check my server on the backend and found it this way.
My plesk firewall extension was uninstalled, UFW was turned off, and Fail2Ban was missing from Plesk. Is this just an update or something to do with Plesk or was I hacked?
Seriously the Fail2ban and Pleskfirewall were just missing. I did have juggernaut installed and it had a free trial but I manually ended that awhile ago. Did some kind of misfire of an update happen or is this malicious interference? I tried enabling UFW and it got deactivated again after a minute. Uninstalled Juggernaut and now it seems to be staying activated. Is juggernaut known to do this if you go over your free trial period? And what would cause Fail2Ban to stop running and be completely missing from the Plesk Panel?? Including the Plesk Firewall??
 
Also I went back and looked through my fail2ban log archives and noticed a big amount of IP's were unbanned when they should have been perma banned. Is this a sign of malicious behavior or can this happen after a Plesk update that effects fail2ban/security modules? :(
 
I'm including a section of the fail2ban logs the day it seems like fail2ban went down if anyone wants to analyze it. It may show evidence of a malicious script taking down my firewall but I'm not sure. Also in the Auth logs during the same time I see these two lines:

Oct 18 06:33:57 jello useradd[3800320]: new group: name=csf, GID=10001
Oct 18 06:33:57 jello useradd[3800320]: new user: name=csf, UID=10001, GID=10001, home=/home/csf, shell=/bin/false, from=none

Which GPT thinks is related to Config Server Firewall but I don't remember installing that, or doing any work on the server on that day.

What could it mean?

OH I guess I can't attach text files... ok here is the fail2ban log file snippet:

First 10 or so lines are normal operation (la de da de da..) :
2024-10-18 04:57:50,239 fail2ban.filter [933]: INFO [ssh] Found 217.170.194.48 - 2024-10-18 04:57:50
2024-10-18 04:57:50,339 fail2ban.actions [933]: NOTICE [ssh] Ban 217.170.194.48
2024-10-18 04:57:50,343 fail2ban.filter [933]: INFO [recidive] Found 217.170.194.48 - 2024-10-18 04:57:50
2024-10-18 05:39:34,255 fail2ban.filter [933]: INFO [ssh] Found 58.96.88.213 - 2024-10-18 05:39:34
2024-10-18 05:39:35,398 fail2ban.filter [933]: INFO [ssh] Found 58.96.88.213 - 2024-10-18 05:39:35
2024-10-18 05:39:35,488 fail2ban.actions [933]: NOTICE [ssh] Ban 58.96.88.213
2024-10-18 05:39:35,495 fail2ban.filter [933]: INFO [recidive] Found 58.96.88.213 - 2024-10-18 05:39:35
2024-10-18 06:12:50,657 fail2ban.filter [933]: INFO [ssh] Found 13.64.193.117 - 2024-10-18 06:12:50
2024-10-18 06:33:07,414 fail2ban.server [933]: INFO Shutdown in progress...
2024-10-18 06:33:07,416 fail2ban.observer [933]: INFO Observer stop ... try to end queue 5 seconds
2024-10-18 06:33:07,437 fail2ban.observer [933]: INFO Observer stopped, 0 events remaining.
2024-10-18 06:33:07,478 fail2ban.server [933]: INFO Stopping all jails
2024-10-18 06:33:07,481 fail2ban.filter [933]: INFO Removed logfile: '/var/log/auth.log'
2024-10-18 06:33:07,481 fail2ban.filter [933]: INFO Removed logfile: '/var/log/fail2ban.log'
2024-10-18 06:33:07,482 fail2ban.filter [933]: ERROR Unable to get failures in /var/log/fail2ban.log
2024-10-18 06:33:07,482 fail2ban.filter [933]: INFO Removed logfile: '/var/log/auth.log'
2024-10-18 06:33:07,496 fail2ban.filter [933]: INFO Removed logfile: '/var/log/maillog'
2024-10-18 06:33:07,496 fail2ban.filter [933]: INFO Removed logfile: '/var/log/maillog'
2024-10-18 06:33:07,496 fail2ban.filter [933]: INFO Removed logfile: '/var/log/plesk-roundcube/errors'
2024-10-18 06:33:07,497 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/error_log'
2024-10-18 06:33:07,497 fail2ban.filter [933]: INFO Removed logfile: '/var/log/apache2/error.log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/proxy_access_ssl_log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/access_ssl_log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/access_log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/proxy_access_log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/log/apache2/access.log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/log/apache2/other_vhosts_access.log'
2024-10-18 06:33:07,512 fail2ban.filter [933]: INFO Removed logfile: '/var/log/plesk/panel.log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/log/modsec_audit.log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/proxy_access_ssl_log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/access_ssl_log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/access_log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/www/vhosts/system/woundxed.com/logs/proxy_access_log'
2024-10-18 06:33:07,513 fail2ban.filter [933]: INFO Removed logfile: '/var/log/apache2/access.log'
2024-10-18 06:33:07,514 fail2ban.filter [933]: INFO Removed logfile: '/var/log/apache2/other_vhosts_access.log'
2024-10-18 06:33:07,537 fail2ban.actions [933]: NOTICE [plesk-postfix] Flush ticket(s) with iptables-multiport
2024-10-18 06:33:07,537 fail2ban.actions [933]: NOTICE [plesk-one-week-ban] Flush ticket(s) with iptables-allports
2024-10-18 06:33:07,538 fail2ban.actions [933]: NOTICE [plesk-permanent-ban] Flush ticket(s) with iptables-allports
2024-10-18 06:33:07,556 fail2ban.actions [933]: NOTICE [plesk-permanent-ban] Unban 183.81.169.238
2024-10-18 06:33:07,557 fail2ban.actions [933]: NOTICE [plesk-permanent-ban] Unban 64.227.156.104
2024-10-18 06:33:07,557 fail2ban.actions [933]: NOTICE [plesk-permanent-ban] Unban 60.191.20.210
2024-10-18 06:33:07,618 fail2ban.actions [933]: NOTICE [plesk-dovecot] Flush ticket(s) with iptables-multiport
2024-10-18 06:33:07,620 fail2ban.actions [933]: NOTICE [plesk-apache-badbot] Flush ticket(s) with iptables-multiport-BadBots
2024-10-18 06:33:07,621 fail2ban.actions [933]: NOTICE [plesk-roundcube] Flush ticket(s) with iptables-multiport
2024-10-18 06:33:07,621 fail2ban.actions [933]: NOTICE [plesk-wordpress] Flush ticket(s) with iptables-multiport
2024-10-18 06:33:07,622 fail2ban.actions [933]: NOTICE [plesk-apache] Flush ticket(s) with iptables-multiport-apache
2024-10-18 06:33:07,624 fail2ban.actions [933]: NOTICE [plesk-panel] Flush ticket(s) with iptables-multiport-plesk-login
2024-10-18 06:33:07,680 fail2ban.actions [933]: NOTICE [ssh] Flush ticket(s) with iptables
2024-10-18 06:33:07,701 fail2ban.actions [933]: NOTICE [ssh] Unban 85.221.48.115
2024-10-18 06:33:07,702 fail2ban.actions [933]: NOTICE [ssh] Unban 167.172.190.187
2024-10-18 06:33:07,702 fail2ban.actions [933]: NOTICE [ssh] Unban 64.23.178.20
2024-10-18 06:33:07,703 fail2ban.actions [933]: NOTICE [ssh] Unban 221.229.218.50
2024-10-18 06:33:07,703 fail2ban.actions [933]: NOTICE [ssh] Unban 122.179.128.202
2024-10-18 06:33:07,703 fail2ban.actions [933]: NOTICE [ssh] Unban 206.189.61.144
2024-10-18 06:33:07,703 fail2ban.actions [933]: NOTICE [ssh] Unban 182.70.119.240
. . . and it goes on unbanning every bot
 
The more I'm digging through the logs the more I'm thinking Plex system maintenance or some component of immunify disabled my firewall randomly.. and that is completely infuriating if true.
 
Syslogs from right around the time of the Fail2Ban shutdown and flush...

Oct 18 06:32:39 jello systemd[1]: Started Plesk task: Daily Maintenance: LoadCustomizations (task=6975 process=6976 trace=3780978:6712377dd8ad9).
Oct 18 06:32:39 jello systemd[1]: run-plesk-task-6976.service: Deactivated successfully.
Oct 18 06:32:39 jello systemd[1]: Stopped Plesk task: Daily Maintenance: LoadCustomizations (task=6975 process=6976 trace=3780978:6712377dd8ad9).
Oct 18 06:32:39 jello systemd[1]: Started Plesk task: Daily Maintenance: UpdateApsCache (task=6976 process=6977 trace=3780978:6712377dd8ad9).
Oct 18 06:32:39 jello systemd[1]: Started Plesk task: Refresh APS catalog cache (task=6993 process=6978 trace=3793069:67123947d0917).
Oct 18 06:32:39 jello systemd[1]: run-plesk-task-6977.service: Deactivated successfully.
Oct 18 06:32:39 jello systemd[1]: Stopped Plesk task: Daily Maintenance: UpdateApsCache (task=6976 process=6977 trace=3780978:6712377dd8ad9).
Oct 18 06:32:40 jello systemd[1]: Started Plesk task: Daily Maintenance: UpdateApsApplications (task=6977 process=6979 trace=3780978:6712377dd8ad9).
Oct 18 06:32:40 jello systemd[1]: run-plesk-task-6979.service: Deactivated successfully.
Oct 18 06:32:40 jello systemd[1]: Stopped Plesk task: Daily Maintenance: UpdateApsApplications (task=6977 process=6979 trace=3780978:6712377dd8ad9).
Oct 18 06:32:40 jello systemd[1]: Started Plesk task: Daily Maintenance: UpgradeExtensions (task=6978 process=6980 trace=3780978:6712377dd8ad9).
Oct 18 06:32:40 jello systemd[1]: run-plesk-task-6978.service: Deactivated successfully.
Oct 18 06:32:40 jello systemd[1]: Stopped Plesk task: Refresh APS catalog cache (task=6993 process=6978 trace=3793069:67123947d0917).
Oct 18 06:32:47 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6994 process=6981 trace=3793096:671239489ca40).
Oct 18 06:32:48 jello systemd[1]: run-plesk-task-6981.service: Deactivated successfully.
Oct 18 06:32:48 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6994 process=6981 trace=3793096:671239489ca40).
Oct 18 06:32:48 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6995 process=6982 trace=3793096:671239489ca40).
Oct 18 06:32:48 jello crontab[3793348]: (root) LIST (psaadm)
Oct 18 06:32:48 jello systemd[1]: run-plesk-task-6982.service: Deactivated successfully.
Oct 18 06:32:48 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6995 process=6982 trace=3793096:671239489ca40).
Oct 18 06:32:49 jello kernel: [1997434.526129] [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:05:19:23:82:fe:00:05:19:23:82:08:00 SRC=79.110.62.177 DST=144.202.24.7 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=2945 PROTO=TCP SPT=41625 DPT=22678 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 18 06:32:50 jello postfix/qmgr[2944]: 7A19F100936: from=<redacted>, size=11586, nrcpt=1 (queue active)
Oct 18 06:32:50 jello postfix/qmgr[2944]: A5A17FF8FE: from=<redacted>, size=11886, nrcpt=1 (queue active)
Oct 18 06:32:53 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6996 process=6983 trace=3793096:671239489ca40).
Oct 18 06:32:53 jello systemd[1]: run-plesk-task-6983.service: Deactivated successfully.
Oct 18 06:32:53 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6996 process=6983 trace=3793096:671239489ca40).
Oct 18 06:32:54 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6997 process=6984 trace=3793096:671239489ca40).
Oct 18 06:32:54 jello crontab[3793600]: (root) LIST (psaadm)
Oct 18 06:32:54 jello systemd[1]: run-plesk-task-6984.service: Deactivated successfully.
Oct 18 06:32:54 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '9' (task=6997 process=6984 trace=3793096:671239489ca40).
Oct 18 06:32:55 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '28' (task=6998 process=6985 trace=3793096:671239489ca40).
Oct 18 06:32:56 jello systemd[1]: run-plesk-task-6985.service: Deactivated successfully.
Oct 18 06:32:56 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '28' (task=6998 process=6985 trace=3793096:671239489ca40).
Oct 18 06:32:56 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '28' (task=6999 process=6986 trace=3793096:671239489ca40).
Oct 18 06:32:56 jello systemd[1]: Created slice Slice /imunify_install.
Oct 18 06:32:56 jello systemd[1]: Started /usr/local/psa/admin/sbin/modules/imunify360/imav-deploy.sh -y --force.
Oct 18 06:32:56 jello systemd[1]: run-plesk-task-6986.service: Deactivated successfully.
Oct 18 06:32:56 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '28' (task=6999 process=6986 trace=3793096:671239489ca40).
Oct 18 06:32:56 jello systemd[1]: run-u615.service: Main process exited, code=exited, status=1/FAILURE
Oct 18 06:32:56 jello systemd[1]: run-u615.service: Failed with result 'exit-code'.
Oct 18 06:33:01 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '31' (task=7000 process=6987 trace=3793096:671239489ca40).
Oct 18 06:33:01 jello systemd[1]: Started Plesk task: ext-juggernaut-task_install (task=7002 process=6988 trace=3794064:6712395d82bc3).
Oct 18 06:33:01 jello CRON[3794086]: (root) CMD (/usr/sbin/imunify-notifier -update-cron)
Oct 18 06:33:01 jello CRON[3794088]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/revisium-antivirus/scripts/ra_executor_run.php')
Oct 18 06:33:01 jello CRON[3794089]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/log-browser/scripts/parse-logs.php')
Oct 18 06:33:01 jello systemd[1]: run-plesk-task-6987.service: Deactivated successfully.
Oct 18 06:33:01 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '31' (task=7000 process=6987 trace=3793096:671239489ca40).
Oct 18 06:33:01 jello systemd[1]: Started Plesk task: Event 'extension_upgrade' for object with ID '31' (task=7001 process=6989 trace=3793096:671239489ca40).
Oct 18 06:33:02 jello systemd[1]: run-plesk-task-6989.service: Deactivated successfully.
Oct 18 06:33:02 jello systemd[1]: Stopped Plesk task: Event 'extension_upgrade' for object with ID '31' (task=7001 process=6989 trace=3793096:671239489ca40).
Oct 18 06:33:02 jello systemd[1]: Started Plesk task: ext-log-browser-parse-maillog (task=7003 process=6990 trace=3794091:6712395ede469).
Oct 18 06:33:03 jello systemd[1]: run-plesk-task-6980.service: Deactivated successfully.
Oct 18 06:33:03 jello systemd[1]: Stopped Plesk task: Daily Maintenance: UpgradeExtensions (task=6978 process=6980 trace=3780978:6712377dd8ad9).
Oct 18 06:33:03 jello systemd[1]: run-plesk-task-6980.service: Consumed 10.909s CPU time.
Oct 18 06:33:03 jello systemd[1]: Started Plesk task: Daily Maintenance: ExecuteGlCleaner (task=6979 process=6991 trace=3780978:6712377dd8ad9).
Oct 18 06:33:03 jello systemd[1]: run-plesk-task-6991.service: Deactivated successfully.
Oct 18 06:33:03 jello systemd[1]: Stopped Plesk task: Daily Maintenance: ExecuteGlCleaner (task=6979 process=6991 trace=3780978:6712377dd8ad9).
Oct 18 06:33:03 jello systemd[1]: Started Plesk task: Daily Maintenance: StoreProtectedConfigs (task=6980 process=6992 trace=3780978:6712377dd8ad9).
Oct 18 06:33:04 jello systemd[1]: run-plesk-task-6992.service: Deactivated successfully.
Oct 18 06:33:04 jello systemd[1]: Stopped Plesk task: Daily Maintenance: StoreProtectedConfigs (task=6980 process=6992 trace=3780978:6712377dd8ad9).
Oct 18 06:33:04 jello systemd[1]: Started Plesk task: Daily Maintenance: ExecuteWebStatistics (task=6981 process=6993 trace=3780978:6712377dd8ad9).
Oct 18 06:33:07 jello systemd[1]: Stopping Fail2Ban Service...
Oct 18 06:33:08 jello fail2ban-client[3794367]: Shutdown successful
Oct 18 06:33:08 jello systemd[1]: fail2ban.service: Deactivated successfully.
Oct 18 06:33:08 jello systemd[1]: Stopped Fail2Ban Service.
Oct 18 06:33:08 jello systemd[1]: fail2ban.service: Consumed 1h 32.001s CPU time.
Oct 18 06:33:08 jello systemd[1]: Reloading.
Oct 18 06:33:08 jello systemd[1]: Configuration file /run/systemd/system/netplan-ovs-cleanup.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 18 06:33:08 jello systemd[1]: /lib/systemd/system/snapd.service:23: Unknown key name 'RestartMode' in section 'Service', ignoring.
Oct 18 06:33:08 jello systemd[1]: /etc/systemd/system/denyhosts.service:8: Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.
Oct 18 06:33:08 jello systemd[1]: Configuration file /lib/systemd/system/aibolit-resident.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 18 06:33:09 jello systemd[1]: Starting Refresh fwupd metadata and update motd...
Oct 18 06:33:09 jello dbus-daemon[839]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.617' (uid=112 pid=3794444 comm="/usr/bin/fwupdmgr refresh " label="unconfined")
 
You must log in or register to reply here.

Similar threads

K
Resolved How to turn off PLESK firewall from CLI
Replies
7
Views
414
Kurt Ludikovsky
K
Tim_Wakeling
Issue Firewall suddenly took Plesk down overnight
2
Replies
23
Views
3K
Peter Debik
P
duy13
[AntiDDoS] for Plesk Panel with vDDoS Proxy Protection
Replies
0
Views
3K
duy13
duy13
L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
4K
Lukas Hertig
L
danami
Resolved Juggernaut Security and Firewall Plesk Addon
4 5 6
Replies
114
Views
36K
danami
danami
Back
Top