Securing Plesk installation using fail2ban

Fail2Ban is a great utility to protect your server from 'script kiddies' attempting to do brute force attacks against your exposed services.

Install Fail2ban according to the installation instructions. If you are using CentOS fail2ban rpms can be found in the rpmforge repo.(even though they tend to be one or two versions back)

After installation we need to configure fail2ban for Plesk's own settings.

Fail2Ban relies on regular expressions to scan log files for particular 'login failure' strings and then
taking a number of actions.
All of Fail2Ban's configuration options reside in /etc/fail2ban so let's configure each file seperately.

 

/etc/fail2ban/
├── action.d
│   ├── iptables.conf
│   ├── mail-whois.conf
│   └── complain.conf
├── fail2ban.conf
├── filter.d
│   ├── sshd.conf
│   └── ........
└── jail.conf

fail2ban.conf
Contains general settings, such as the logging level and target

jail.conf
This is the most important file, containing the declaration of our jails. There are already some sections as templates but we must enable the sections of interest and adapt to Plesk's particular configuration. Here is an example of the ssh-iptables section:

[ssh-iptables]

enabled  = true
filter         = sshd
action     = iptables[name=SSH, port=ssh, protocol=tcp]
                   sendmail-whois[name=SSH, dest=thanos@thanosk.net, sender=fail2ban@mail.com]
                   complain[logpath=/var/log/secure]
logpath    = /var/log/secure
maxretry = 3
bantime  = 43200

With these settings a few things will happen:

  1. the section ssh-iptables is enabled;
  2. the filter sshd.conf in sub-directory filter.d will be processed (will see what this means later)
  3. the actions described in iptables.conf in sub-directory action.d  will be executed if the outcome of the filter is true. The same goes for actions sendmail-whois as well as compain
  4. the log file to be scanned by the filter is /var/log/secure
  5. the number of times the filter sshd.conf needs to be true before the actions in section 3 are executed
  6. the amount of time (in seconds) the particular ip will be banned
     

filder.d Directory
This directory contains all the filters we want to apply to the various log files. Each configuration file contains
regular expressions which are used to detect break-in attempts, password failures, etc
As an example smtp.conf :

# Fail2Ban configuration file

[Definition]

failregex = LOGIN FAILED, ip=\[<HOST>\]
            password incorrect from .* \[<HOST>\]

actions.d directory
The directory action.d contains different scripts defining various actions fail2ban executes. The most important are :
iptables.conf : Adds/Removes IPs from your firewaill configuration effectively banning them from even attempting to connect to a particular service or if you so choose from the whole server
sendmail-whois.conf : Sends an email msg to the address defined in jail.conf informing you of the actions that were taken.
complain.conf : Sends a complaint e-mail to 'abuse report' addresses listed in the whois record for an offending IP address.

These are the most important configuration options for fail2ban but there are a lot more that one can toy with.
For Plesk's particular configuration you need definitely try to protect SSH, FTP, SMTP & POP servers as they are
the ones most commonly exposed to various attacks.
You can find attached a compressed folder containing all the files that I use. Make sure to change the email addresses in the various configuration files so email end up in the correct mailbox.

Update:
Since I updated to Plesk 11.x I had to make certain changes to the configuration files. Mainly because I moved from Qmail to Postfix. You will find my updated configuration files also attached.