Fail2Ban unable to block IP Addresses on a Plesk server

Symptoms

• Users encounter an error when attempting to block an IP address using Fail2Ban in Plesk. The error message states:

  ERROR:__main__Command ['set', 'plesk-one-week-ban', 'banip', '203.0.112.1'] failed with error UnknownJailException('plesk-one-week-ban').

• Reloading fail2ban gives a permission error.

  # fail2ban-client reload
  2024-12-05 16:11:12,990 fail2ban [3005163]: ERROR NOK: (13, 'Permission denied')
  [Errno 13] Permission denied: '/var/www/vhosts/system/example.com/logs/error_log'

• SELinux context of file seen in error above is httpd_sys_content instead of the correct one, httpd_log_t:

  # ls -Z /var/www/vhosts/system/example.com/logs/error_log
  system_u:object_r:httpd_sys_content_t:s0 /var/www/vhosts/system/example.com/logs/error_log

• Audit log file /var/log/audit/audit.log shows a denied request regarding fail2ban-server:

  # egrep "fail2ban-server" /var/log/audit/audit.log | grep denied
  type=AVC msg=audit(1733411472.982:1927101): avc: denied { read } for pid=2373127 comm="fail2ban-server" name="error_log" dev="sda1" ino=230808319 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0

Cause

The issue is caused by incorrect SELinux context for the log files that Fail2Ban needs to access.

Resolution

1. Connect to the server via SSH

2. Remove currently installed psa-selinux package via Plesk installer:

   # plesk installer --select-product-id plesk --select-release-current --remove-component selinux

3. Reinstall currently installed psa-selinux package via Plesk installer

   # plesk installer --select-product-id plesk --select-release-current --install-component selinux

4. Check again context of affected file, it should look like this:

   # ls -Z /var/www/vhosts/system/example.com/logs/error_log
   system_u:object_r:httpd_log_t:s0 /var/www/vhosts/system/example.com/logs/error_log