Fail2Ban Jails Management
Advanced users might also be interested in configuring the way the so-called Fail2Ban jails are used to block IP addresses. A Fail2Ban jail is a combination of a filter and one or several actions. A filter defines a regular expression that matches a pattern corresponding to a failed login attempt or another suspicious activity. Actions define commands that are executed when the filter catches an abusive IP address.
In Plesk, there are preconfigured jails for all hosting services (web server, mail server, FTP server). Most of them work in the same way: they detect failed login attempts and block access to the service for ten minutes. These jails require special explanation:
-
plesk-apache-badbotlooks for email grabbers and vulnerability scanners in Apache’s access log files. The ban lasts for two days. -
plesk-hordeandplesk-roundcubedetect webmail login failures and block access to a web service for 10 minutes. -
recidivelooks for other jails' bans in Fail2Ban's own log. It blocks hosts that have received a ban from other jails five times in the last 10 minutes. The ban lasts a week and applies to all services on the server. -
plesk-modsecuritybans the IP addresses detected as harmful by the ModSecurity Web Application Firewall. The jail can only be activated if ModSecurity is already running, and will ban attackers even if ModSecurity is operating in the "Detection only" mode. The ban lasts for 10 minutes.
Preconfigured jails for non-installed Plesk components are not shown in the list. For example, if RoundCube webmail is not installed, the plesk-roundcube jail is not shown in the list of available jails.
To protect your services from specific threats, as well as to protect third-party services that are not shipped with Plesk, you might want to set up your own jails, switch them on and off, update jail settings, and add filters that can be used by jails.
Note: Jails shipped with Plesk cannot be removed, you can only deactivate them. However, you can remove jails that you added yourself.
Only jails for installed Plesk components are shown in Plesk. For example, if the qmail mail server is not installed, the qmail jail is hidden.
If you try to switch on several jails at once with a group Switch On operation and one of the jails fails to start, then all the jails will not be started. In this case, switch on the jails one by one.
To set up a new jail:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails > Add Jail.
- Specify the jail settings.
You can use the following filters already set up in Plesk:
- apache-auth, for Apache authorization failures
- apache-badbots, for spam bots and bad web crawlers
- courierlogin, for Courier IMAP and POP3 authentication failures
- dovecot, for Dovecot IMAP, POP3, and Sieve authentication failures
- plesk-horde, for Horde webmail authentication failures
- plesk-panel, for Plesk authentication failures
- plesk-qmail, for QMail SMTP authentication failures
- plesk-roundcube, for Roundcube webmail authentication failures
- postfix-sasl, for Postfix SMTP and SASL authentication failures
- proftpd, for ProFTPD login failures
- recidive, for hosts repeatedly banned by Fail2Ban
- sshd, for SSH login failures
You can use the following actions, which are already set up in Plesk:
- iptables, to ban IP addresses via iptables firewall, on a single port
- iptables-allports, to ban IP addresses via iptables firewall, on all ports
- iptables-multiport, to ban IP addresses via iptables firewall, on multiple ports
- sendmail, to send email notification via sendmail
To add a filter that can be used by a jail:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails > Manage Filters > Add Filter.
- Specify the filter name and the regular expression used to match the lines of log files. For details about Fail2Ban filters, refer to Fail2Ban documentation at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters. As Fail2Ban is a Python application, for details about Python regular expressions, refer to Python documentation at https://docs.python.org/2/library/re.html.