Fail2Ban in your Plesk

Fail2Ban in your Plesk

Bruteforce logins attack is common nowadays. If the ports are opened to the internet, they are prone to such attempts to gain access to the services. Using a strong password can reduce your risk but you cannot stop this kind of attack.

To stop totally unless you can limit or restrict access to certain IP addresses. This is not likely possible with the email service. So Fail2Ban can reduce and stop such attempts but it can too block a genuine use from accessing the service in some situations. However, if you are able to understand and fine tweak the module, false-positive can be reduced.

Today, we take a look at this module and neglected it by many Plesk users. One of the reason, this module is not adopted by many Plesk users, it is because this module is not set up by default.

Fail2BanIf you do not see this module in your Plesk under ‘Tools & Settings’ you can install from updates and upgrades under Plesk further down your screen. You will see this module after successfully installed. Likely you have to login again to see the just installed module.

Once it has installed successfully, we need to configure and turn on the module. I recommend placing your current IP address in the trusted IP section. This will avoid if you are blocked accidentally after you switched on the module.

fail2banNext, we will tell the module which are the services I want to use Fail2Ban. You might not need all but the important one like ssh, Plesk-proftpd. Plesk-panel, Plesk-postfix & Plesk-dovecot. These are the common services we have observed, receive most brute-force attacks. After you have decided which services, switch on and make sure they are active.

fail2banThe final step is the settings. Define how long you want to ban an IP, the number of failed logins within how long each interval. The default is 5 failed logins within 10 minutes and banned for 10 minutes if violated. I felt that the ban period can be longer, 3600 seconds is an hour. Lastly, we check the box to Enable intrusion detection and apply.

Congratulation, we have set up Fail2Ban on Plesk.


Many failed logins in your logs?

Many failed logins in your logs?

Recently, you may have realized there were many failed login transactions in your logs. These failed logins have account users you don’t even know them before.

As long as you are hooked up with the internet, your servers and you are bound to these types of failed login transactions known as brute-force attacks. This type of attack will usually happen to a default port or a port used by the users you cannot apply restriction or minimum restriction.

Why are the ports do you see them often? Like the port 22 for SSH remotely; Ports 25. 110, 143 & 587 for emailing; Ports 8880 & 8443 use by Plesk; Ports 2082, 2083, 2086, 2087, 2092 & 2093 use by cPanel; Port 21 for FTP; Ports 80 & 443 for the webserver. Port likes 22 used by SSH, can be changed to another port number to avoid such and we encourage you to do that.

However, most ports you don’t as they are known as default for such services to be delivered. Hence, you are seeing more failed login transactions from these attackers attempted to steal your credentials to gain access to your account.

The key is using a strong password. If you have cPanel and Plesk control panels, you can reinforce users to adopt a higher strength of password used. This is a must and this is primary security practise for end-users. With a strong password, you have made these malicious activities very difficult.

If you have fully managed hosting, you can request the hosting support team to implement a 3rd party solution to bar these attacks. However, this often happened to users have basic managed or self-managed packages. hosting providers will not support 3rd party solutions. You can either do it yourself with the available resources from the internet or you paid someone to get it done. 

There are applications or functions from the control panel makers. For Plesk, you can install fail2ban & cPanel is cphulk. The problem for fail2ban & cphulk is not a bulletproof solution, very often users start to have login problems with these 2 applications.

This scenario has happened to 2 types of situations, you are a shared hosting user or an office has many users sharing the network through the same router. While most users do not have static IP internet, thus it is not possible to grant access to that IP. Hence, if you have 50 coworkers in the office, you just need one user to key in a wrong password for his or her mailbox or access the server from a computer has a backdoor, since everyone has the same public IP address, as soon as the IP address is blocked, he or she will become the culprit has paralyzed the rest of 49 users sending and receiving emails.

Thus, we must have to get a balance of both. There are pros and cons either way. Ultimately, strong password is the solution to this. If you insist to have such protection you must have static IP internet and they are more expensive.

Before I go, cphulk in a VPS virtualized by Virtuozzo and OpenVZ will not work. cPanel has decided not to support this type of virtualization due to the iptables settings are inconsistent with different providers.