Symptoms

When both Fail2Ban and Imunify360 are simultaneously active on a Plesk server, several issues may arise, indicating an intermittent IP banning problem:

  • Websites or webmail services hosted within Plesk may become intermittently inaccessible, displaying a "This site can't be reached" error to users.
  • Despite Imunify360 being installed and ModSecurity configured to utilize its ruleset, client IP addresses are still being banned by Fail2Ban's ModSecurity jail. This can be observed in the /var/log/fail2ban.log file with entries similar to:
    fail2ban.actions [3045]: NOTICE [plesk-modsecurity] Ban 203.0.113.2
  • Further investigation into the /var/log/modsec_audit.log file reveals ModSecurity identifying threats and attempting to redirect, even though Imunify360 should be handling such protections. Examples of such entries include:
    Message: [file "/etc/httpd/conf/modsecurity.d/rules/custom/002_i360_2_bruteforce.conf"] [line "253"] [id "33355"] [msg "IM360 WAF: WordPress login weak password||T:APACHE||NAME:admin"] [severity "NOTICE"] [tag "service_i360"] Access denied with redirection to https://imunify-alert.com/compromised.html?SN=example.com&SP=7081&RFR=&URI=/wp-login.php&cms_name=wordpress&version=1 using status 302 (phase 2). Matched phrase "/1111/" at TX:wp_passwd.

Cause

The core issue stems from an incompatibility between Fail2Ban and Imunify360. While ModSecurity works in conjunction with Imunify360, Fail2Ban is not designed to operate harmoniously alongside Imunify360's robust security features. This conflict leads to false-positive blocks, where legitimate traffic or minor threats are inappropriately handled by Fail2Ban, even though Imunify360 is actively providing comprehensive protection against brute-force attacks and other malicious activities.

Resolution

Given that Imunify360 offers its own advanced protection against brute-force attacks and other intrusion attempts, it is recommended to disable Fail2Ban when Imunify360 is active on your server to prevent conflicts and ensure optimal security operations. Follow these steps to disable Fail2Ban:

  1. Log in to your Plesk control panel with administrative credentials.
  2. Navigate to the Tools & Settings section.
  3. Under the "Security" group, locate and click on IP Address Banning (Fail2Ban).
  4. Proceed to the Settings tab within the Fail2Ban interface.
  5. Uncheck the option labeled Enable intrusion detection.
  6. Click OK to save your changes and effectively disable Fail2Ban.

By implementing this resolution, you ensure that Imunify360 can manage server security without interference, thereby resolving the intermittent IP banning issues caused by the coexistence of both security systems.

War diese Antwort hilfreich? 0 Benutzer fanden dies hilfreich (0 Stimmen)