Use fail2ban to protect your server with plesk panel from zero day exploit

To protect your server with Plesk control panel from zero day exploit the following fail2ban configuration can be added:

1. Added custom config with the following regex:
# more /etc/fail2ban/filter.d/apache-plesk-vulnerability.conf
# Fail2Ban configuration file
#
# Author: Taras Shkodenko
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = ^ -.*”POST /%%70%%68%%70%%70%%61%%74%%68/%%70%%68%%70?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#

2. Added these lines to fail2ban configuration file: /etc/fail2ban/jail.conf
#
#
# Ban attackers that try to use Plesk zero day vulnerability
#

[apache-plesk-vulnerability]
enabled = true
filter = apache-plesk-vulnerability
action = iptables-multiport[name=apachePleskVulner, port=”http,https”, protocol=tcp]
sendmail-whois[name=apachePleskVulner, dest=serveradmin@shkodenko.com]
logpath = /var/log/httpd/access_log
maxretry = 1
#

3. To check new ban regex use command:
# /usr/bin/fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-plesk-vulnerability.conf

4. Restarted fail2ban using command:
# /sbin/service fail2ban restart

4 thoughts on “Use fail2ban to protect your server with plesk panel from zero day exploit

  1. Hello,

    Thanks for the great tips on your blog.
    I tried the above definition for the plesk ui port (8443) but i cant make it work. Im clueless about python so I can’t make a definition that suits plesk.
    I found the definition that follows but it doesnt work also.
    [Definition]
    failregex = ^.*”-” “-“$
    ignoreregex =

    any help is appreciated

    Thank you,
    Panos

    • Panos,

      as I can see your problem in port (8443). As I described above I am using ports http (TCP 80) and https (TCP 443) to catch hackers. And my solution is working fine for me.

  2. Hello,
    Thanks for the response. You are right, i messed up the definitions.
    I tried 2 ways to protect the plesk admin panel (8443). I’m afraid theres nothing on the internet regarding the brute force attacks and how to stop them with fail2ban. The only info i found is http://bugreev.ru/blog:2011:12:23-plesk_-_%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0_fail2ban
    And all the info you posted on your blog. The link method for 8443 port doesnt seem to work.
    Also your method to create a jail for 80 and 443 ports seems promissing.

    From what i understand the definition “tells” fail2ban what words should look in the logs (/var/log/httpd/access_log for you) in order to prevent brute force attacks after x wrong attempts. My problem is that your definition for failregex (failregex = ^ -.*‚ÄĚPOST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66.*) prevents fail2ban from starting.

    To be more precise im getting this error
    Starting fail2ban: ERROR Failed during configuration: ‘%’ must be followed by ‘%’ or ‘(‘, found: ‘%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66.*’

    All your info are very useful but im quite noobie to make the definition to work + theres nothing on the internet that will help someone with dynamic ip (thus cant use the plesk build in restrict administrative access)to protect plesk from brute force attacks.

    any help is appreciated

    Panos

    PS From what i see on parallels forums many people “demanding” build in fail2ban module for plesk or they are searching a way to configure fail2ban. You seem to be the only one that made this to work :)
    PS2 Sorry for the wall of text

    • Panos,

      you should replace each percent % by two percents %% to get it work.

      Also, there is utility to check your fail2ban regex:
      # /usr/bin/fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-plesk-vulnerability.conf

      It will report you any problems in rules before you apply them to live fail2ban configuration.

Comments are closed.