Partner with experts to accelerate your digital transformation journey
Explore Now
Bobcares
Client Area
Emergency Support
Latest | Plesk

How to Fix Fail2Ban Unable to Block IP Addresses and Secure Your Plesk Server

PDF Header PDF Footer

Troubleshoot Fail2Ban unable to block IP Addresses and protect your server now. Our Plesk Support team is ready to assist you. 

Fix Fail2Ban Unable to Block IP Addresses

Fail2Ban protects Plesk servers from repeated login attempts and brute-force attacks. Sometimes it fails to block suspicious IPs, leaving your server vulnerable. Common signs include a disabled IP Address Banning page, error messages like UnknownJailException, or failed logins that do not result in bans.

This guide shows how to fix these issues, handle SELinux restrictions, manage jails, block and unblock IPs, monitor logs, and apply best practices to keep Fail2Ban running smoothly and your server secure.

Symptoms of Fail2Ban Not Blocking IPs in Plesk

You may notice the IP Address Banning page in Plesk looks disabled or shows errors like Could not enable jails or UnknownJailException. From the server console, Fail2Ban may report missing log files or configuration problems. Another clear sign of trouble is when repeated failed logins do not result in banned IPs, showing that Fail2ban not banning addresses as expected.

Why Fail2Ban May Not Work in Plesk

  • Fail2Ban is not enabled in Plesk
  • SELinux blocks access to log files
  • Python version does not match what Fail2Ban needs
  • Jails are misconfigured with wrong log files or a high maxretry value
  • Cloudflare hides the real client IP from the server


How to Fix Fail2Ban Issues in Plesk

  1. Enable Fail2Ban and required jails in Plesk
  2. Check the fail2ban log for error details
  3. Verify SELinux context of log files and reinstall psa selinux if needed
  4. Confirm the server is using the correct Python version
  5. Adjust jail settings like maxretry and log file paths
  6. Configure Cloudflare to pass the real client IP to the server

Understanding the Root Cause: SELinux Context Issues in Fail2Ban

Fail2Ban protects your server by scanning log files for repeated failed login attempts and blocking the suspicious IP addresses it finds. On systems that use SELinux, problems appear when these log files carry the wrong security context. The fail2ban process runs in its own domain called fail2ban_t, and it can only work if SELinux allows it to read the necessary logs and communicate with the firewall.

When a file is labeled incorrectly, Fail2Ban loses access. For example, a web server error log might be tagged as httpd_sys_content_t. This label works for the web server but not for Fail2Ban. In this situation, Fail2Ban will show errors such as permission denied or unknown jail. The proper label for such logs is usually httpd_log_t, which grants the right level of access.

Because of this mismatch, Fail2Ban keeps running but silently fails to catch malicious activity. The failed login attempts are recorded, but the tool cannot act on them. As a result, no IP addresses are banned and your server stays open to brute force attacks. In other words, Fail2Ban cannot successfully blacklist IP addresses until the SELinux context issue is resolved.

You can confirm this problem by checking the context of a file with the ls -Z command. If the label is wrong, you can fix it by applying the correct type with semanage fcontext and restoring the file using restorecon. Once the context is corrected, Fail2Ban regains access to the logs and begins blocking unwanted IP addresses as expected, effectively allowing Fail2Ban to blacklist IPs that show suspicious activity.

Fail2Ban unable to block IP Addresses

Step by Step Resolution to Fix SELinux Context for Fail2Ban on Plesk

If Fail2Ban is not blocking addresses in Plesk because of SELinux restrictions, the issue often lies in how the log files are labeled. By resetting the SELinux settings with the correct package and verifying the context, you can restore Fail2Ban’s access and get it working again.

Connect to your server
First, log in to your server through SSH as the root user so you can run the required commands.

Remove the current SELinux package
To clear any incorrect settings, remove the existing psa selinux package using the Plesk installer.

plesk installer --select-product-id plesk --select-release-current --remove-component selinux

Reinstall the SELinux package
Once the old package is removed, reinstall it to reset the policies and apply the correct rules.
plesk installer --select-product-id plesk --select-release-current --install-component selinux

Check the log file labels
After reinstalling, check whether the log files now have the right context. Use the following command to see the SELinux labels:
ls -Z /var/www/vhosts/system/example.com/logs/error_log

For web server logs, the label should usually appear as httpd log t. If you see another label such as httpd sys content t, it means the file is still not set correctly.

Restart Fail2Ban
Now restart the Fail2Ban service so it can read the logs again with the corrected permissions.

systemctl restart fail2ban

Verify that Fail2Ban works
Finally, confirm that Fail2Ban is running as expected. You can check its current status and see whether active jails are banning IP addresses.
fail2ban-client status

By following these steps, you can restore the correct SELinux context and allow Fail2Ban to monitor logs without being blocked.

How to Block and Unblock IP Addresses in Plesk with Fail2Ban

Fail2Ban helps protect your Plesk server by blocking suspicious IP addresses. You can block or unblock IPs and add trusted addresses using either the Plesk interface or the command line.

Using the Plesk Interface

  1. Log in to Plesk.
  2. Go to Tools and Settings and select IP Address Banning.
  3. To block an IP, go to Banned IP Addresses and click Ban IP.
  4. Enter the IP address or subnet and set the duration. Enter minus one for a permanent ban.
  5. Click OK to apply the ban.

To add a trusted IP, go to the Trusted IP Addresses tab, enter the IP, and save.

Using the Command Line
Block an IP in a jail:

fail2ban-client set jailname banip ipaddress

Example:
fail2ban-client set ssh banip 10.0.0.1

Unblock an IP in a jail:
fail2ban-client set jailname unbanip ipaddress

Check banned IPs in a jail:
fail2ban-client status jailname

Add a trusted IP:
plesk bin ip_ban --add-trusted ipaddress

Remove a trusted IP:
plesk bin ip_ban --remove-trusted ipaddress

Verifying and Troubleshooting Banned IPs in Fail2Ban

Check Banned IPs

sudo fail2ban-client status

sudo fail2ban-client banned

Confirm the Block

  • Check /var/log/fail2ban.log for blocked IPs.
  • Optionally, test the IP connection.

Unban an IP

sudo fail2ban-client set <JAIL_NAME> unbanip <IP_ADDRESS>

Whitelist Trusted IPs

  • Edit /etc/fail2ban/jail.local and add IPs to ignoreip under [DEFAULT].
  • Restart Fail2Ban: 
sudo systemctl restart fail2ban

Preventing Future Fail2Ban Issues on Plesk Servers

Fail2Ban protects your server from repeated login attempts. To keep it working smoothly, follow these steps.

Optimize Settings
Adjust ban time, detection interval, and maximum retries to balance security and usability.

Add Trusted IPs
Whitelist your own IP and known addresses to prevent accidental blocks.

Adjust Jails
Review service-specific jails like SSH, Apache, and mail. Update ban time and retry limits as needed.

Handle SELinux
Check log file contexts with ls -Z and set correct permissions if blocked. Restart Fail2Ban to apply changes.

Verify Bans
Check active jails and banned IPs using Fail2Ban commands. Confirm blocks by reviewing logs.

Unban IPs
Unban from a specific jail if needed and add trusted IPs to ignore future bans.

Correct Log Paths
Ensure each jail points to the correct log file, such as secure for SSH on some systems.

Monitor Logs
Regularly check logs for errors, repeated bans, or suspicious activity.

Handle Corrupt Database
Backup the database, remove a corrupted file, and reinstall Fail2Ban to restore functionality.

Incremental Bans
Use incremental ban times for repeat offenders to increase protection without permanent blocks.

Automate Tasks
Enable Fail2Ban on boot, schedule log monitoring, and back up configurations regularly.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion 

When Fail2Ban is unable to block IP addresses, your server can remain vulnerable to attacks. By checking SELinux settings, adjusting jails, managing trusted IPs, and monitoring logs, you can restore Fail2Ban’s functionality and keep your server secure.

In brief, our Support Experts demonstrated how to fix the “554 5.7.1 : Relay access denied” error.

Related posts:

    1. Plesk Disable Fail2Ban – How-to Guide
    2. myLittleAdmin on Plesk opens insecure HTTP page
    3. Servers page redirects to Plesk main page: Dependent row(s) isn’t found
    4. Plesk staging WordPress | About
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Get featured on the Bobcares blog and share your expertise with a global tech audience.

WRITE FOR US

GET UP TO 25% OFF

Plesk Support

Spend time on your business, not on your servers.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management & end-user tech support to us, and use that time to focus on the growth and success of your business.

TALK TO USOr click here to learn more.

Related Articles

  1. Plesk Disable Fail2Ban – How-to Guide
  2. myLittleAdmin on Plesk opens insecure HTTP page
  3. Servers page redirects to Plesk main page: Dependent row(s) isn’t found
  4. Plesk staging WordPress | About

Top Categories

Speed issues driving customers away?
We’ve got your back!

OPTIMIZE TODAY

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF