Plesk 12.x / Linux :: How To Setup Fail2ban For Admin Access
Feb 3, 2015
I have just looked at the plesk panel log - /usr/local/psa/admin/logs/panel.log - and seen an alarming number of attempts to access plesk using the admin user. i.e.
[2015-02-02 14:53:46] ERR [panel] [Action Log] Failed login attempt with login 'admin' from IP 50.62.148.176
I have fail2ban installed and set up for other things...
Is there any way to give a reseller or customer access to the php custom settings box labeled "Additional configuration directives" on the website & domains -> php settings button that an admin can see and alter? We have attempted to give resellers the "Common PHP settings management" and "Setup of potentially insecure web scripting options that override provider's policy" options, but it still does not show up to a reseller.
I have a rented VPS with 2TB of disk space and a plesk license in order to host the sites that i develop and my sites, and found myself with around 1.8TB of free space, plesk samba management and plesk vpn management but with few missing pieces for my idea. My idea was to setup vpn tunneling between my laptop and desktop to plesk server and access samba share from the server like they were in my LAN.In the firewall I have opened only the classic mail and web ports (obviously plesk access too).
We have a windows 2008 server x64 running plesk 8.6. We created a user with complete access and under that user we created a nuke evolution website. Install appears flawless. We can even continue with admin configuration within nuke with admin.php.
However once you log out you are unable to log back in to admin.php, you get a 404 Not found error. I've checked out the permissions through plesk but they appear to be ok,
Windows Server 2012r2 Plesk Panel 12.0.18 Update #36, last updated at Feb 20, 2015
my server running version 12 on win server 2012r2 of the panel. Sometime in the last few days something has changed and I can no longer load the Admin panel on ip:8443.
I can access the panel by using remote desktop into my server and loading it locally.
I also can not connect to the server using the mobile manager app or via telnet. If I disable the firewall in the Plesk panel it works fine so I checked my firewall but incoming on 8443 is allowed. It seems the firewall is blocking ports that were previously open as I can't remote access my MS SQL server either without switching the firewall off.
The only change I'm aware of since I last used the panel is the update #36 install. Not sure where to look next?
Health Monitor Module is installed and running on server, but not visible under Server Administration Panel > Home > Server Health on Plesk Panel 11.0.9 update #7. Is there a trick to configuring home to show it and/or a direct way to launch view of server health?
So on our server, fail2ban got itself in a mess. Tried various things to fix, to no avail, so figured I'd just do a fresh install of it. There was minimal customisation to it that I couldn't re-do.
Note I'd already rm'd /etc/fail2ban - as on previous attempts, the files in here didn't appear to be restored to their defaults. So I figured removing the directory would force this to happen (Whether this was wise I'm not sure!) ;-)
So, following instructions here: [URL] .... I now get the following:
# wget http://kb.sp.parallels.com/Attachments/kcs-36245/fail2ban.gz # gunzip fail2ban.gz # mv fail2ban /etc/init.d/fail2ban # chmod 755 /etc/init.d/fail2ban # ll /etc/init.d/fail2ban /etc/fail2ban/fail2ban.conf ls: cannot access /etc/fail2ban/fail2ban.conf: No such file or directory -rwxr-xr-x 1 root root 2141 Aug 15 2014 /etc/init.d/fail2ban
I then uninstall/reinstall with # /usr/local/psa/admin/bin/autoinstaller
(Have tried via the web interface too)
I then get:
# ll /etc/init.d/fail2ban /etc/fail2ban/fail2ban.conf ls: cannot access /etc/fail2ban/fail2ban.conf: No such file or directory -rwxr-xr-x 1 root root 2141 Aug 15 2014 /etc/init.d/fail2ban
i.e., no change..
and if I go to the fail2ban settings in Plesk, I get:
If I go in plesk panel to: Home > Tools & Settings >IP Address Banning > Jails > managing Filters > add filter > type in name & filtercontent and save I get "Information: The jail filter was added". But i can not see the new added filter in the Plesk Filter List (still just the 12 Filters in the list).
On the filesystem > /etc/fail2ban/filter.d/ i can see the new file but with the extension .local - usulay the file is named like xyz.conf
The output of /usr/local/psa/admin/sbin/f2bmng --get-filters-list
Well with activated apache-badbots jails I have in a short time a hugh amount of banned IPs. Usualy action for this is to use iptables-ipset-proto and save all this baned IPs in the ipset insteed as normal in the iptables list - thats also a suggestion which was discussed in the fail2ban forum for better performance. And yes I had this running (ipset package installed) with my manual installation of fail2ban before I switched over to the plesk integrated.
action = iptables-ipset-proto6[name=BadBots, port="http,https,7080,7081"] insteed of action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
So how can I add iptables-ipset-proto4.conf, iptables-ipset-proto6-allports.conf, iptables-ipset-proto6.conf to the plesk version of fail2ban??
We have Panel Plesk 11.5.30 in Windows 2008 R2. when you go to File Sharing in all the Subscriptions, appears this error: Internal error: Unable to access File Sharing repository with the system user name "admin": wrong username or password
This happen since we do the update to the new version 11.5.30 ...
I have the problem that the ip blocked "failban" too short (set findtime=1800).
The ip should be blocked for 30 minutes (the second time).
2015-03-23 22:24:59,779 fail2ban.filter [2807]: INFO Set maxRetry = 5 2015-03-23 22:24:59,780 fail2ban.filter [2807]: INFO Set findtime = 1800 2015-03-23 22:24:59,781 fail2ban.actions[2807]: INFO Set banTime = 600
I would find an easy way to add a list of IP in Fail2ban whitelist in linux console.What is the file to modify ? Is there a command line or a process ?
12.0.18 Update #46, last updated at May 15, 2015 03:57 AM
Just recently (after update #46) Fail2Ban stopped working and I couldn't restart it or pin point the reason behind it. I decided to uninstall F2B component via Plesk installer.
F2B uninstalled however when I try to install it again I get error : 'Installation will not continue'
Where to start and where can I find log files that could give me some clues?
I installed fail2ban via the autoinstaller today. I got a failed install. There is no /etc/init.d/fail2ban file, and no /usr/bin/fail2ban-server.
On the other hand yum-search tells me it's installed:
plesk-fail2ban-configurator.noarch : plesk-specific jails and filters for fail2ban fail2ban.noarch : Scan logfiles and ban ip addresses with too many password failures​
I tried to remove it in autoinstaller:
Installing packages Loaded plugins: fastestmirror, priorities Running rpm_check_debug Error in PREUN scriptlet in rpm package fail2ban
After changing website domain name (from development one -dev-domain.com- to production one) we have this error in fail2ban.log :
2015-02-01 06:46:41,176 fail2ban.filter [2848]: ERROR Unable to open /var/www/vhosts/system/dev-domain.com/logs/proxy_access_log 2015-02-01 06:46:41,176 fail2ban.filter [2848]: ERROR [Errno 2] No such file or directory: '/var/www/vhosts/system/dev-domain.com/logs/proxy_access_log' Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/server/filter.py", line 520, in getFailures has_content = container.open() File "/usr/lib/python2.7/dist-packages/server/filter.py", line 601, in open self.__handler = open(self.__filename) IOError: [Errno 2] No such file or directory: '/var/www/vhosts/system/dev-domain.com/logs/proxy_access_log'
i'm running 12.0.18#34 on PCS dedicated server. i recently discovered that some of the default jails on fail2ban that is shipped with Plesk 12 were not working correctly. Let me explain what i mean. For instance, the plesk-panel jail. The logs were parsed correctly, the command was successfully appended in iptables list, the fail2ban log was updated. Still, the intruder was not blocked. I kept reading "already banned" on the fail2ban.log but actually there was no blocking.
After some checks, i found out that fail2ban default configuration states SSH as default blocking port. that means, the block was working but only for ssh hits. thus the plesk-panel admin page hits were passing through.
since i added port=http,https on jail.local > plesk-panel and did it a restart on fail2ban service, only then did it start to actually block incoming hits.
I think this should be verified by programmers group and maybe include a fix in some future minor update.
I have updated from 11.5 to 12.0 mostly in order to use Fail2Ban.
I have also installed a new Plesk 12 license key to make sure that the license allows Fail2Ban. It says now that Fail2Ban is "On". But I can not find the menu entry to get to the Fail2Ban configuration. It is simply not there... (it is supposed to be in the Securitiy menu in the Tools and Settings section...)
In Fail2ban (great idea to include it in plesk!) settings you can set "Time interval for detection of subsequent attacks" (findtime) in general. But it would be interesting this setting per Jail.
You could have 2 jail with same filter but different findtime. Example:
Jail 1) 5 failures in 600 seconds: 1800 seconds ban Jail 2) 30 failures in 86400 seconds: 604800 seconds ban
There are bots that detect if you have some protection fail2ban or similar and it will adapt, login attempt every 300 seconds for example. Jail 1 no detect this attack, but Jail 2 yes.
See the example, live time : [root@--------- log]# cat /var/log/maillog | grep 'warning: ---------' Jul 14 07:10:54 --------- postfix/smtpd[5482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure Jul 14 07:54:16 --------- postfix/smtpd[4782]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Fehler: f2bmng failed: Job for fail2ban.service failed. See 'systemctl status fail2ban.service' and 'journalctl -xn' for details. ERROR:f2bmng:Failed to start fail2ban service
-- Unit fail2ban.service has failed. -- -- The result is failed.
Aug 20 14:22:13 noreply.flusiserver.de systemd[1]: Unit fail2ban.service entered failed state. Aug 20 14:22:14 noreply.flusiserver.de agetty[14140]: /dev/hvc0: No such file or directoryClick to expand...
I'm just wondering how I can start logging activity in Fail2Ban. I've got the following line in the "logs" tab in "IP Address Banning" in the Plesk UI:
/var/log/fail2ban.log
However when I check this it states "The file is empty".
I'm assuming there will be a setting somewhere that tells fail2ban to log to that file but I'm not sure where/what it is?
I know for sure that I've had IP's banned but they just don't appear to be logged.
I'm getting the following attempts every few minutes, I'd to put a stop to it with Fail2Ban but so far I've been unsuccessful. I get no IP bans in the Fail2Ban panel in Plesk 12.