How do ModSecurity + Fail2Ban + Imunify work together in a server with Plesk?

Question

How do ModSecurity + Fail2Ban + Imunify work together in a server with Plesk?

Answer

All three tools DO NOT work in synergy. Please choose one of the following options below that serves your needs the best and avoid installing any other (including 3rdparties that are not listed).

Compatible and safe to use:

• ModSecurity+Fail2Ban:

  When ModSecurity is enabled a rule "plesk-modsecurity" is created at Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
  When ModSecurity is triggered for X times (defined in Fail2Ban settings) by a certain IP address this IP address is banned by Fail2Ban for Y seconds.

• Imunify only:

  Imunify uses the same algorithm as ModSecurity: both work based on analyzing Apache requests.
  Imunify installs ModSecurity component with special Imunify ruleset. The ruleset can be checked via CLI:

  # plesk sbin modsecurity_ctl -L --enabled
  custom

Not compatible:

• Imunify+Fail2Ban:

  According to Imunify installation guide, Imunify is incompatible with Fail2Ban.
  If Imunify is being used, disable Fail2Ban at Plesk > Tools & Settings > IP Address Banning (Fail2Ban) > Settings tab.

• Imunify+ModSecurity with standard rulesets (e.g. OWASP and Comodo):

  It is strongly recommended to disable any other mod_security rulesets except Imunify ruleset (especially OWASP and Comodo). These rulesets can cause a large number of false positives and duplicate the Imunify ruleset. Consider using only Imunify ruleset to avoid such behavior. Please check the Imunify documentation for details: Hosting Panels Firewall Rulesets Specific Settings