Plesk pages load slowly or fail to load when there are a lot of external connections to Plesk ports 8443 and/or 8880

Symptoms

• Plesk pages load slowly or fail to load with the error:

  PLESK_INFO: 502 Bad Gateway

• A lot of messages like below may appear in /var/log/plesk/panel.log:

  CONFIG_TEXT: ERR [panel.ui] You have entered incorrect username or password.
  ERR [panel] [Action Log] Failed login attempt with login 'admin' from IP 203.0.113.2

• There is a large number of sw-engine processes:

  CONFIG_TEXT: # ps fax | grep sw-engine | wc -l
  57

• The top command shows that sw-cp-server process loads CPU at ~100%:

  CONFIG_TEXT: PID     USER    PR NI  VIRT   RES    SHR  S  %CPU  %MEM TIME+    COMMAND 
  34409 sw-cp-s+  20  0  58860  26840  5080 R  95.7  0.7  15:12.42 sw-cp-server: worker process

• There is a large number of network connections to Plesk panel ports from different IP addresses:

  CONFIG_TEXT: # ss -tan state established | grep ":8880\|:8443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | wc -l

Cause

Plesk ports 8443 and 8880 are under a DDoS attack.

Resolution

1. Connect to your Plesk server via SSH.

2. Activate Fail2Ban:

   # plesk bin ip_ban --enable

3. Enable plesk-panel jail - it scans Plesk logs and blocks IP addresses that have failed to log in to Plesk after a specified number of attempts.

   # plesk bin ip_ban --enable-jails plesk-panel

4. Enable recidive jail:

   # plesk bin ip_ban --enable-jails recidive

5. Change the number of failures before the IP address is banned from 5 (default) to 3:

   # plesk bin ip_ban --update -max_retries 3

6. Give Fail2Ban several minutes to ban unwanted IP addresses.

Check other DDoS protection tools in this KB article.