Symptoms
Websites or webmails hosted in Plesk are intermittently not available with This site can't be reached error.
Imunify360 is installed on the Plesk server, and ModSecurity is configured to use its ruleset.
In
/var/log/fail2ban.log, errors like the following are shown, with the client IP address getting banned by ModSecurity jail:fail2ban.actions [3045]: NOTICE [plesk-modsecurity] Ban 203.0.113.2
The entries like below can be found in the
/var/log/modsec_audit.logfile:Message: [file "/etc/httpd/conf/modsecurity.d/rules/custom/002_i360_2_bruteforce.conf"] [line "253"] [id "33355"] [msg "IM360 WAF: WordPress login weak password||T:APACHE||NAME:admin"] [severity "NOTICE"] [tag "service_i360"] Access denied with redirection to https://imunify-alert.com/compromised.html?SN=example.com&SP=7081&RFR=&URI=/wp-login.php&cms_name=wordpress&version=1 using status 302 (phase 2). Matched phrase "/1111/" at TX:wp_passwd.
Cause
ModSecurity works in conjunction with Imunify360: Imunify360 is not compatible with Fail2Ban and that incompatibility causes false-positive block.
Resolution
Imunify360 has its own protection from brute force attacks, therefore disable fail2ban, while Imunify360 is active on the server:
- Log in to Plesk.
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Settings.
- Uncheck Enable intrusion detection and click OK.
