Plesk 12.x / Linux :: Fail2ban Default Blocking Port
Feb 11, 2015
i'm running 12.0.18#34 on PCS dedicated server. i recently discovered that some of the default jails on fail2ban that is shipped with Plesk 12 were not working correctly. Let me explain what i mean. For instance, the plesk-panel jail. The logs were parsed correctly, the command was successfully appended in iptables list, the fail2ban log was updated. Still, the intruder was not blocked. I kept reading "already banned" on the fail2ban.log but actually there was no blocking.
After some checks, i found out that fail2ban default configuration states SSH as default blocking port.
that means, the block was working but only for ssh hits. thus the plesk-panel admin page hits were passing through.
since i added port=http,https on jail.local > plesk-panel and did it a restart on fail2ban service, only then did it start to actually block incoming hits.
I think this should be verified by programmers group and maybe include a fix in some future minor update.
From some reasons, plesk is blocking incoming 25 port (in plesk shows opened, but it's not)My emails are delivered trough port 25, after doing some tests ( i've sent some emails to an email account hosted in the server) there was no email in the roundcube inbox! All emails were blocked...
a) Firewall was blocking the port 25 on server restart. b) I have succesfully unblocked it from plesk manager -> tools -> edit/change -> even if i didn't change anything, i saved the "changes" and in my roundcube inbox i recived all the test emails. c) In /var/log/maillog there is no error.
2. Passive FTP gets blocked in the same way, to successfully connect FireFTP on passive mode i need to repeat 1.b steps even if i've created a special rule to prevent the blocking, opening 49152-65534 ports and set PassivePorts 49152 65534 in /etc/proftpd.conf
The issue appears randomly, because in the last 5 days i didn´t restart the server, the last time i checked it worked. Today, without touching anything, firewall blocked my passive FTP and I had probmels reciving emails from gmail, yahoo etc...
I have a Windows VPS with Plesk panel. Windows Server 2008 R2 with plesk panel version 11.5.30.
I tried to change the default plesk panel port (8443) to eg (1234) without any success.
The steps i followed are the following: 1) Firewall -> Inbound rule -> allow for port 1234 2) Firewall, Disable inbound rule for port 8443 3) IIS, PleskControlPanel, Bindings: changed binding from 8443 to 1234.
Now i type on browser: [URL] .... and while its loading after some seconds redirects me to [URL] ...
So on our server, fail2ban got itself in a mess. Tried various things to fix, to no avail, so figured I'd just do a fresh install of it. There was minimal customisation to it that I couldn't re-do.
Note I'd already rm'd /etc/fail2ban - as on previous attempts, the files in here didn't appear to be restored to their defaults. So I figured removing the directory would force this to happen (Whether this was wise I'm not sure!) ;-)
So, following instructions here: [URL] .... I now get the following:
# wget http://kb.sp.parallels.com/Attachments/kcs-36245/fail2ban.gz # gunzip fail2ban.gz # mv fail2ban /etc/init.d/fail2ban # chmod 755 /etc/init.d/fail2ban # ll /etc/init.d/fail2ban /etc/fail2ban/fail2ban.conf ls: cannot access /etc/fail2ban/fail2ban.conf: No such file or directory -rwxr-xr-x 1 root root 2141 Aug 15 2014 /etc/init.d/fail2ban
I then uninstall/reinstall with # /usr/local/psa/admin/bin/autoinstaller
(Have tried via the web interface too)
I then get:
# ll /etc/init.d/fail2ban /etc/fail2ban/fail2ban.conf ls: cannot access /etc/fail2ban/fail2ban.conf: No such file or directory -rwxr-xr-x 1 root root 2141 Aug 15 2014 /etc/init.d/fail2ban
i.e., no change..
and if I go to the fail2ban settings in Plesk, I get:
If I go in plesk panel to: Home > Tools & Settings >IP Address Banning > Jails > managing Filters > add filter > type in name & filtercontent and save I get "Information: The jail filter was added". But i can not see the new added filter in the Plesk Filter List (still just the 12 Filters in the list).
On the filesystem > /etc/fail2ban/filter.d/ i can see the new file but with the extension .local - usulay the file is named like xyz.conf
The output of /usr/local/psa/admin/sbin/f2bmng --get-filters-list
Well with activated apache-badbots jails I have in a short time a hugh amount of banned IPs. Usualy action for this is to use iptables-ipset-proto and save all this baned IPs in the ipset insteed as normal in the iptables list - thats also a suggestion which was discussed in the fail2ban forum for better performance. And yes I had this running (ipset package installed) with my manual installation of fail2ban before I switched over to the plesk integrated.
action = iptables-ipset-proto6[name=BadBots, port="http,https,7080,7081"] insteed of action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
So how can I add iptables-ipset-proto4.conf, iptables-ipset-proto6-allports.conf, iptables-ipset-proto6.conf to the plesk version of fail2ban??
I have the problem that the ip blocked "failban" too short (set findtime=1800).
The ip should be blocked for 30 minutes (the second time).
2015-03-23 22:24:59,779 fail2ban.filter : INFO Set maxRetry = 5 2015-03-23 22:24:59,780 fail2ban.filter : INFO Set findtime = 1800 2015-03-23 22:24:59,781 fail2ban.actions: INFO Set banTime = 600
After changing website domain name (from development one -dev-domain.com- to production one) we have this error in fail2ban.log :
2015-02-01 06:46:41,176 fail2ban.filter : ERROR Unable to open /var/www/vhosts/system/dev-domain.com/logs/proxy_access_log 2015-02-01 06:46:41,176 fail2ban.filter : ERROR [Errno 2] No such file or directory: '/var/www/vhosts/system/dev-domain.com/logs/proxy_access_log' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/server/filter.py", line 520, in getFailures has_content = container.open() File "/usr/lib/python2.7/dist-packages/server/filter.py", line 601, in open self.__handler = open(self.__filename) IOError: [Errno 2] No such file or directory: '/var/www/vhosts/system/dev-domain.com/logs/proxy_access_log'
I have updated from 11.5 to 12.0 mostly in order to use Fail2Ban.
I have also installed a new Plesk 12 license key to make sure that the license allows Fail2Ban. It says now that Fail2Ban is "On". But I can not find the menu entry to get to the Fail2Ban configuration. It is simply not there... (it is supposed to be in the Securitiy menu in the Tools and Settings section...)
Fehler: f2bmng failed: Job for fail2ban.service failed. See 'systemctl status fail2ban.service' and 'journalctl -xn' for details. ERROR:f2bmng:Failed to start fail2ban service
-- Unit fail2ban.service has failed. -- -- The result is failed.
Aug 20 14:22:13 noreply.flusiserver.de systemd: Unit fail2ban.service entered failed state. Aug 20 14:22:14 noreply.flusiserver.de agetty: /dev/hvc0: No such file or directoryClick to expand...
There is a strange problem with the new feature fail2ban. I have noticed that a local ip address (ip address from the webserver itself) was added to the blocked ip addresses of fail2ban now for the second time. What I can see is that it was the recidive jail.
If there is nginx used as reverse proxy you get a "502 Bad Gateway". Any way to find out more about the reason why an ip address is added to the list of blocked ip addresses in fail2ban?
we use CentOS Linux 7.0.1406 (Core) Plesk Version 12.0.18 Update #26 I got reports of several users on my system, and i can confirm this myself, that fail2ban is blocking courier imap and postfix connections when i try to connect to the Plesk Server with Outlook 2013 and theBat and the Apple Mac Mail Client.
I used the correct login information but fail2ban blocked the IPs for no obvious reason:
2014-12-03 12:46:57,908 fail2ban.actions: WARNING [plesk-postfix] Ban 184.108.40.206 2014-12-03 12:46:58,049 fail2ban.actions: WARNING [plesk-courierimap] Ban 220.127.116.11 I disabled the two jails now and it works perfectly. But why is fail2ban blocking valid requests ? I tried it myself and i did not enter a wrong password or something. MaxRetry is 5 so this should not be a problem. The problem is not affecting all users but just a few. However all of them are using correct credentials so i dont understand why they are being blocked at all.
I am not able to enable the recidive jail in Fail2Ban. I get the following error:
Code: Unable to switch on the selected jails: f2bmng failed: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' ERROR No file(s) found for glob /var/log/fail2ban.log ERROR Failed during configuration: Have not found any log file for recidive jail ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'recidive']' returned non-zero exit status 255 ERROR:f2bmng:Failed to reload following jails due to errors in configuration: recidive . There is indeed no /var/log/fail2ban.log, but I doubt that manually creating it will correctly fix this problem.
The problem is also discussed @ [URL] ...., but in my case I have not switched on jails before switching on fail2ban. Also, the given resolution does not work.