IP address banning (Fail2Ban) is an automated way to protect your server from brute force attacks. Fail2Ban uses regular expressions to monitor log files for patterns corresponding to authentication failures, seeking for exploits, and other entries that can be considered suspicious. Such log entries are counted, and, when their number reaches some predefined value, Fail2Ban either sends a notification email or bans the attacker’s IP for a pre-defined length of time. When the ban period is over, the IP address is automatically unbanned.
To set up Plesk to automatically ban IP addresses and networks that generate malicious traffic:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group). The Fail2Ban component has to be installed on your server.
- Select the Enable intrusion detection checkbox. This will activate the Fail2Ban service.
- Specify the following settings:
- IP address ban period – the time interval in seconds for which an IP address is banned. When this period is over, the IP address is automatically unbanned.
- Time interval for detection of subsequent attacks - the time interval in seconds during which the system counts the number of unsuccessful login attempts and other unwanted actions from an IP address.
- Number of failures before the IP address is banned – the number of failed login attempts from the IP address.
- Click OK.
If an IP address should not be blocked:
- Go to Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP.
- In the IP address field, provide an IP address, an IP range, or a DNS host name, and click OK.