Resolved WordPress + Fail2Ban... strange behavior with a error status of 403

[MicheleB]

Hello,
I had a WordPress installation that every time the users opened in their browsers, after 5 pages/click (Fail2Ban settings) Fail2Ban blocked their IP (jail used: plesk-apache).

In the browser's inspection panel I found an error, status of 403 (Forbidden) for a single file ([http://www.website.com/wp-content/themes/starter/quick-style.php]).

I've removed this 403 error and the website returned to works good, without more IP blacklist.

My question is... is it a normal behavior that Fail2Ban block an IP for a 403 error?

Thanks.

 

[UFHH01]

Hi MicheleB,

My question is... is it a normal behavior that Fail2Ban block an IP for a 403 error?

Yes, if you apply the filter, to avoid brute-force login attempts, then this behaviour is absolutely as expected. Pls. consider to investigate the filter - regex for the specific filter ( in your case: "/etc/fail2ban/filter.d/plesk-apache.conf" ), to verify for yourself, why the filter is blocking IPs.

 

[MicheleB]

Ok, thanks.

I've tried to investigate the filter but I didn't find the file "/etc/fail2ban/filter.d/plesk-apache.conf".

 

[UFHH01]

Hi MicheleB,

my suggestion might be misleading, because I just guessed the filter - name from your error message. Pls. have a look at your "/etc/fail2ban/jail.d/plesk.conf" or "jail.local" configuration file, to identify your correct filter name:

Example:

...
# HTTP servers
[plesk-apache]

enabled = false
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
filter = apache-auth
logpath = /var/www/vhosts/system/*/logs/error_log
/var/log/apache2/*error.log
/var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
maxretry = 6

 

[MicheleB]

Ok!