Symptoms- Plesk pages load slowly or fail to load with the error:
502 Bad Gateway - A lot of messages like below may appear in /var/log/plesk/panel.log:
ERR [panel.ui] You have entered incorrect username or password.
ERR [panel] [Action Log] Failed login attempt with login 'admin'
from IP203.0.113.2 - There is a large number of sw-engine processes:
# ps fax | grep sw-engine | wc -l
57 - The top command shows that sw-cp-server process loads CPU at ~100%:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
34409 sw-cp-s+ 20 0 58860 26840 5080 R 95.7 0.7 15:12.42
sw-cp-server:worker process - There is a large number of network connections to Plesk panel ports from different IP
addresses:
# ss -tan state established | grep ":8880\|:8443" | awk '{print
$4}'| cut -d':' -f1| sort -n | uniq -c | wc -l
CausePlesk ports 8443 and 8880 are under a
DDoS attack.
Resolution- Connect to your Plesk server via SSH.
- Activate Fail2Ban:
#plesk bin ip_ban --enable - Enable plesk-panel jail - it scans Plesk logs and blocks IP addresses that have failed to log
in to Plesk after a specified number of attempts.
#plesk bin ip_ban --enable-jails plesk-panel
- Enable recidive jail:
#plesk bin ip_ban --enable-jails recidive - Change the number of failures before the IP address is banned from 5 (default) to 3:
#plesk bin ip_ban --update -max_retries 3 - Give Fail2Ban several minutes to ban unwanted IP addresses.