Advanced users might also be interested in configuring the way the
so-called Fail2Ban jails are used to block IP addresses. A Fail2Ban
jail is a combination of a filter and one or several actions. A filter
defines a regular expression that matches a pattern corresponding to a
failed login attempt or another suspicious activity. Actions define
commands that are executed when the filter catches an abusive IP
address.
A jail can have active or inactive status. When Fail2Ban service is
running, only active jails will be used to monitor the log files and to
ban suspicious IP addresses.
In Plesk, there are preconfigured jails for all hosting services (web
server, mail server, FTP server, and so on). Most of them work in the
same way: they detect failed login attempts and block access to the
service for ten minutes. These jails are listed at the Jails tab at
Tools & Settings > IP Address Banning (Fail2Ban).
The following preconfigured jails are available:
-
plesk-apache looks for Apache authorization failures and bans
attackers for 10 minutes. -
plesk-apache-badbot looks for email grabbers and vulnerability
scanners in Apache’s access log files. The ban lasts for two days. -
plesk-dovecot looks for Dovecot IMAP, POP3, and Sieve
authentication failures and bans attackers for 10 minutes. -
plesk-horde and plesk-roundcube detect webmail login failures
and block access to a web service for 10 minutes. -
plesk-modsecurity bans the IP addresses detected as harmful by
the ModSecurity Web Application Firewall. The jail
can only be activated if ModSecurity is already running, and will ban
attackers even if ModSecurity is operating in the “Detection only”
mode. The ban lasts for 10 minutes. -
plesk-panel detects Plesk login failures and bans attackers for
10 minutes. -
plesk-postfix looks for Postfix SMTP and SASL authentication
failures and bans attackers for 10 minutes. -
plesk-proftpd looks for ProFTPD login failures and bans attackers
for 10 minutes. -
plesk-wordpress looks for WordPress authentication failures and
bans attackers for 10 minutes. -
recidive looks for other jails’ bans in Fail2Ban’s own log. It
blocks hosts that have received a ban from other jails five times in
the last 10 minutes. The ban lasts a week and applies to all services
on the server. - ssh looks for SSH login failures and bans…