Question
How to find out why users are getting banned by Fail2Ban?
How to know which domain was accessing a banned IP address?
Answer
-
Connect to a Plesk server via SSH.
-
Find the banned IP address in the file
/var/log/fail2ban.logIn this example, the jail-name plesk-apache has banned the IP address.
# grep 203.0.113.2 /var/log/fail2ban.log
2020-01-02 17:59:34,904 fail2ban.filter [10894]: INFO [plesk-apache] Found 203.0.113.2 - 2020-01-02 17:51:48
2020-01-02 17:59:35,102 fail2ban.actions [10894]: NOTICE [plesk-apache] Ban 203.0.113.2 -
To see why it has been banned, search for the IP address in corresponding service logs or use fail2ban-regex utility, for example:
-
Domain apache log files:
# grep -l 203.0.113.2 /var/www/vhosts/system/*/logs/error_log
/var/www/vhosts/system/example.com/logs/error_log -
With fail2ban-regex:
# fail2ban-regex --print-all-matched <service-log> /etc/fail2ban/filter.d/<filter-name>.conf
The <filter-name> can be found in Tools & Settings > IP Address Banning (Fail2Ban) > Jails > <jail-name> > Settings in line beginning with
filter = <filter-name>.For example if you are looking for a website and Apache jail, use the following command:
# fail2ban-regex --print-all-matched /var/www/vhosts/system/example.com/logs/error_log /etc/fail2ban/filter.d/apache-auth.conf
The utility may show a report like below:
=============
Use failregex filter file : apache-auth, basedir: /etc/fail2ban
Use log file : /var/www/vhosts/system/example.com/logs/error_log
Use encoding : UTF-8Results
=======Failregex: 7 total
|- #) [# of hits] regular expression
| 1) [7] ^[] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d{1,5})?] (AH(01797|01630): )?client denied by server configuration: (uri )?S*(, referer: S+)?s*$
`-|- Matched line(s):
| [Thu Jan 20 17:59:34.573099 2019] [authz_core:error] [pid 30309] [client 203.0.113.2:37014] AH01630: client denied by server configuration: /var/www/vhosts/example.com/httpdocs/piwik/plugins/ClickHeat, referer: [http://example.com]
-