Applicable to:
- Plesk Onyx for Linux
Symptoms
When Fail2Ban is enabled and has already banned some IP addresses, its rules in iptables can be removed when Plesk Firewall is disabled.
Cause
Plesk bug PPPM-9399 that is planned to be fixed in future updates.
Resolution
Until the bug is fixed, use the workaround:
- Connect to the server using SSH.
-
Open the file
/etc/init.d/psa-firewall
for editing and modify it as follows:-
Before:
CONFIG_TEXT: if "$emergency"; then
echo "$SERVICE_NAME: firewall successfully disabled"
exit 0
else
echo "$SERVICE_NAME: failed to disable firewall"
exit 1
fi -
After:
CONFIG_TEXT: if "$emergency"; then
echo "$SERVICE_NAME: firewall successfully disabled"
if [ "active" == `/bin/systemctl is-active fail2ban.service` ] ; then
echo "$SERVICE_NAME: fail2ban will restart now."
systemctl restart fail2ban.service &
else
echo "$SERVICE_NAME: fail2ban is not active and will not be restarted."
fi
exit 0
else
echo "$SERVICE_NAME: failed to disable firewall"
exit 1
fi
-
Note: After this modification, Fail2Ban service will be restarted on Plesk firewall disable action.
Comments
3 comments
In my Opinion, the psa-firewall script needs to restart fail2ban when called, but only when fail2ban is active. This can be done by editing the /etcinit.d/psa-firewall skript like:
after emergency=....
insert:
fail2ban_restart () {
if [ "active" == `/bin/systemctl is-active fail2ban.service` ] ; then
echo "$SERVICE_NAME: fail2ban will restart now."
systemctl restart fail2ban.service &
else
echo "$SERVICE_NAME: fail2ban is not active and will not be restarted."
fi
}
fail2ban_restart checks if fail2ban is active and restarts ist when detected. You then need to call the function in the start, stop and restart section after the echo statements.
In Ubuntu 16 fail2ban stores the bans in a DB so no ban will be lost. I assume it does also in other systems.
Hello Julian,
Thank you for provided information.
I have passed it to our developers. They will consider this solution.
Hi Taras Ermoshin and Pavel Rozental,
I do not currently have such file as mentioned above in the walk-around solution for the known bug PPPM-9399 :
/etc/init.d/psa-firewall
May I ask, of this issue was resolved in an other way?
Can you please advise?
Please sign in to leave a comment.