On Plesk server with both fail2ban and Imunify360 turned on, IP addresses are intermittently banned

Symptoms

• Websites or webmails hosted in Plesk are intermittently not available with This site can't be reached error.

• Imunify360 is installed on the Plesk server, and ModSecurity is configured to use its ruleset.

• In /var/log/fail2ban.log, errors like the following are shown, with the client IP address getting banned by ModSecurity jail:

  CONFIG_TEXT: fail2ban.actions [3045]: NOTICE [plesk-modsecurity] Ban 203.0.113.2

• The entries like below can be found in the/var/log/modsec_audit.log file:

  CONFIG_TEXT: Message: [file "/etc/httpd/conf/modsecurity.d/rules/custom/002_i360_2_bruteforce.conf"] [line "253"] [id "33355"] [msg "IM360 WAF: WordPress login weak password||T:APACHE||NAME:admin"] [severity "NOTICE"] [tag "service_i360"] Access denied with redirection to https://imunify-alert.com/compromised.html?SN=example.com&SP=7081&RFR=&URI=/wp-login.php&cms_name=wordpress&version=1 using status 302 (phase 2). Matched phrase "/1111/" at TX:wp_passwd.

Cause

ModSecurity works in conjunction with Imunify360: Imunify360 is not compatible with Fail2Ban and that incompatibility causes false-positive block.

Resolution

Imunify360 has its own protection from brute force attacks, therefore disable fail2ban, while Imunify360 is active on the server:

1. Log in to Plesk.
2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Settings.
3. Uncheck Enable intrusion detection and click OK.