Symptoms
-
More than 300 domains are hosted on the server.
-
Fail2Ban fails to start with one of the following error messages in Plesk:
PLESK_ERROR: Warning: Fail2Ban might not operate properly if there are many domains and Fail2Ban has to monitor too many log files.
PLESK_ERROR: Unable to manage service by f2bmng: (‘start’, ‘fail2ban’). Error: Job for fail2ban.service failed because a timeout was exceeded. See “systemctl status fail2ban.service” and “journalctl -xe” for details. ERROR:f2bmng:Failed to start fail2ban service
PLESK_ERROR: f2bmng failed: ERROR NOK: (‘ssh’,)
ERROR NOK: (‘Action iptables already exists’,)
ERROR NOK: (‘recidive’,)
ERROR NOK: (‘Action iptables-multiport already exists’,)
ERROR NOK: (‘plesk-roundcube’,)
ERROR NOK: (‘Action iptables-multiport already exists’,)
ERROR NOK: (‘plesk-apache’,)
ERROR NOK: (‘Action iptables-multiport already exists’,)
ERROR NOK: (‘plesk-apache-badbot’,)
ERROR:f2bmng:Command ‘[‘/usr/bin/fail2ban-client’, ‘reload’]’ returned non-zero exit status 255 -
The following error messages appear in
/var/log/fail2ban.log:fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example.com/logs/access_ssl_log already exists
fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example2.com/logs/proxy_access_ssl_log already exists
fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example3.com/logs/proxy_access_log already exists
fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example4.com/logs/access_log already exists
Cause
Fail2Ban is trying to start too many logfiles because of a large number of domains. By default, the start time of the Fail2Ban service is 90 seconds. After 90 seconds, systemd gracefully kills the Fail2Ban service and tries to start it again making an infinite loop.
Resolution
-
Connect to the Plesk server via SSH.
-
Stop the Fail2Ban service:
# service fail2ban stop
-
Kill hanged Fail2Ban processes if they exist:
3.1. List all Fail2Ban processes with the command:
# ps aux | grep fail
root 8815 0.0 0.0 107936 604 pts/0 S+ 10:17 0:00 tail -fn0 /var/log/fail2ban.log
root 8981 0.6 0.1 959104 19304 ? Sl 10:18 0:45 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
root 32139 0.0 0.0 101672 10684 ? S 11:43 0:00 /usr/bin/python /usr/bin/fail2ban-client reload plesk-apache-badbot3.2. If processes like above are listed, kill them:
# kill -9 8815 8981 32139
-
Specify the timeout for the Fail2Ban service:
4.1. Open the file
/lib/systemd/system/fail2ban.servicein a text editor. In this example, we are using the vi editor:# vi /lib/systemd/system/fail2ban.service
4.2. Add the following line under the [Service] section:
TimeoutStartSec=900
4.3. Save the changes and close the file.
Note: With this change, Fail2Ban will try to load jails within 15 minutes (900 seconds).
-
Restart the Fail2Ban and system services:
# systemctl daemon-reload
# service fail2ban restart
with