Articles in this section

How to check why an IP address is getting banned by Fail2Ban in Plesk for Linux

Kuzma Ivanov
Updated
kb: how-to Plesk for Linux ABT: Group B

Applicable to:

  • Plesk for Linux

Question

How to find out why users are getting banned by Fail2Ban?

How to know which domain was accessing a banned IP address?

Answer

Fail2ban has logs that show why exactly an IP address is being banned, you may access them by using these steps:

  1. Connect to a Plesk server via SSH.

  2. Find the banned IP address in the file /var/log/fail2ban.log to identify which jail has banned it.

    In this example, the jail-name plesk-apache has banned the IP address.

    # grep 203.0.113.2 /var/log/fail2ban.log
    2020-01-02 17:59:34,904 fail2ban.filter [10894]: INFO [plesk-apache] Found 203.0.113.2 - 2020-01-02 17:51:48
    2020-01-02 17:59:35,102 fail2ban.actions [10894]: NOTICE [plesk-apache] Ban 203.0.113.2

  3. To see why it has been banned, search for the IP address in corresponding service logs or use fail2ban-regex utility, for example:

    • Domain apache log files:

      # grep -l 203.0.113.2 /var/www/vhosts/system/*/logs/error_log
      /var/www/vhosts/system/example.com/logs/error_log

    • With fail2ban-regex:

      # fail2ban-regex --print-all-matched <service-log> /etc/fail2ban/filter.d/<filter-name>.conf

      The <filter-name> can be found in Tools & Settings > IP Address Banning (Fail2Ban) > Jails > <jail-name> > Settings in line beginning with filter = <filter-name>.

      For example if you are looking for a website and Apache jail, use the following command:

      # fail2ban-regex --print-all-matched /var/www/vhosts/system/example.com/logs/error_log /etc/fail2ban/filter.d/apache-auth.conf

      The utility may show a report like below:

      PLESK_INFO: =============

      Use failregex filter file : apache-auth, basedir: /etc/fail2ban
      Use log file : /var/www/vhosts/system/example.com/logs/error_log
      Use encoding : UTF-8


      Results
      =======

      Failregex: 7 total
      |- #) [# of hits] regular expression
      | 1) [7] ^\[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
      `-

      |- Matched line(s):
      | [Thu Jan 20 17:59:34.573099 2019] [authz_core:error] [pid 30309] [client 203.0.113.2:37014] AH01630: client denied by server configuration: /var/www/vhosts/example.com/httpdocs/piwik/plugins/ClickHeat, referer: [http://example.com]

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.