What Fail2Ban Protects Against
Plesk includes Fail2Ban as a built-in security component. It monitors log files for authentication failures and temporarily bans source IPs that exceed a threshold. This protects against:
- SSH brute-force (repeated failed SSH logins)
- FTP brute-force (ProFTPD, vsftpd, Pure-FTPd)
- Email brute-force (IMAP, POP3, SMTP authentication failures)
- Plesk panel login attacks
- WordPress wp-login.php brute-force
- Postfix SASL authentication failures
Fail2Ban is effective for these threats. Each attack produces log entries, Fail2Ban matches them against regex patterns, and the offending IP gets banned for a configurable period.
What Fail2Ban Does Not Protect Against
A DDoS attack does not produce failed login entries in log files. A 500K PPS UDP flood does not try to authenticate. It sends raw packets to overwhelm your network. Fail2Ban never sees it because there is nothing in any log file to trigger a ban.
Even DDoS attacks that target application ports (HTTP floods to port 80/443) often do not produce authentication failures. They send valid HTTP requests that the web server logs as normal 200 OK responses. Fail2Ban has no regex to match "too many successful requests."
Fail2Ban also operates IP-by-IP. A distributed DDoS from 50,000 source IPs, each sending just 10 packets per second, would need Fail2Ban to ban 50,000 IPs individually. By the time it processes all those log entries (if they even appear in logs), your server is already overwhelmed.
How They Work Together
Attack Type Fail2Ban Flowtriq -------------------------------------------- SSH brute force Detects Ignores (low PPS) SMTP auth attack Detects Ignores (low PPS) WP login flood Detects Ignores (low PPS) UDP flood 500K PPS Blind Detects in <1 sec SYN flood Blind Detects in <1 sec DNS amplification Blind Detects in <1 sec HTTP flood (L7) Partial Detects (rate anomaly) Slowloris Blind Detects (connection rate)
Together, they cover the full threat spectrum: Fail2Ban handles credential attacks. Flowtriq handles volumetric attacks. Neither tool interferes with the other.
Installation on Plesk
Fail2Ban is already configured in Plesk. For Flowtriq, install ftagent on the Plesk server:
pip install ftagent sudo ftagent --setup
ftagent uses its own iptables chain (FTAGENT) and does not modify Fail2Ban's chains (f2b-*). Both tools manage iptables rules independently. Verify:
iptables -L -n | grep "Chain f2b" # Shows Fail2Ban chains: f2b-sshd, f2b-plesk-panel, etc. iptables -L -n | grep "Chain FTAGENT" # Shows Flowtriq chain: FTAGENT
Plesk-Specific Configuration
Register Plesk service ports so ftagent knows what traffic is legitimate:
Service Ports: 80/tcp, 443/tcp - Web traffic (Nginx/Apache) 8443/tcp - Plesk panel 8447/tcp - Plesk updates 22/tcp - SSH 21/tcp - FTP 25/tcp, 465/tcp - SMTP 110/tcp, 995/tcp - POP3 143/tcp, 993/tcp - IMAP 3306/tcp - MySQL (if exposed)
With these configured, the agent builds per-protocol baselines for your Plesk server. A sudden UDP flood on port 53 (DNS amplification) immediately deviates from the baseline and triggers detection.
FAQ
Does Flowtriq work with Plesk on Windows?
ftagent requires Linux. Plesk Obsidian on Windows Server is not supported. Plesk on Linux (Ubuntu, Debian, CentOS, AlmaLinux) is fully supported.
Can Fail2Ban handle DDoS if I tune the settings?
No. Fail2Ban fundamentally works by parsing log files for regex matches. Volumetric DDoS attacks do not produce log entries that Fail2Ban can match. Even with custom jails and aggressive settings, the architecture is wrong for the problem.
What about Plesk's built-in Firewall extension?
The Plesk Firewall extension provides basic iptables management (open/close ports, allow/deny IPs). It does not provide DDoS detection, baselines, or automated mitigation. It is complementary to both Fail2Ban and Flowtriq.
Layer DDoS detection on your Plesk server. Keep Fail2Ban for brute-force protection. Add Flowtriq for volumetric DDoS detection with automated response. Start your free 14-day trial.