Symptoms
- Disabling Plesk Firewall in Tools and Settings > Firewall deletes Fail2Ban chains in iptables. Iptables gets empty.
- Errors inÂ
/var/log/fail2ban.log
: fail2ban.actions       [13400]: ERROR  Failed to stop jail 'plesk-wordpress-j' action 'iptables-multiport': Error stopping action
fail2ban.jail          [13400]: INFO   Jail 'plesk-wordpress-j' stopped
fail2ban.action        [13400]: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- stdout: ''
fail2ban.action        [13400]: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- stderr: 'iptables: Too many links.n' - Iptables rules are empty despite the fact that Fail2ban service is running on the server:
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination - When Fail2ban is restarted, iptables chains get updated to correct ones and errors stop being logged toÂ
/var/log/fail2ban.log
.
Cause
Plesk bug with IDÂ #PPPM-5090Â which is planned to be fixed in future updates.
Resolution
As a workaround, save existing iptables rules and disable Plesk Firewall:
- Login to PleskÂ
- Disable Fail2ban at Tools & Settings > Services Management > IP Address Banning (Fail2ban)
- Enable Plesk Firewall at Tools & Settings > Firewall > Enable Firewall Rules Management
- Login to Plesk server via SSH
- Save iptables configuration:
# iptables-save > /root/iptables-settings.conf
- Disable Plesk Firewall in Tools & Settings > Firewall > Enable Firewall Rules Management
Restore iptables rules from file:# iptables-restore < /root/iptables-settings.conf
- Enable Fail2ban back at Tools & Settings > Services Management > IP Address Banning (Fail2ban)
- Modify
, so that iptables rules are applied at boot time:
/etc/rc.d/rc.local script
# echo “iptables-restore < /root/iptables-restore.conf” >> /etc/rc.d/rc.local