Plesk pages load slowly or fail to load when there are a lot of external connect

Started by senthil, May 27, 2025, 01:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

senthil

May 27, 2025, 01:36 AM
Symptoms

  • Plesk pages load slowly or fail to load with the error:
    Code Select
    502 Bad Gateway
  • A lot of messages like below may appear in /var/log/plesk/panel.log:
    Code Select
    ERR [panel.ui] You have entered incorrect username or password.
    ERR [panel] [Action Log] Failed login attempt with login 'admin'
    from IP203.0.113.2
  • There is a large number of sw-engine processes:
    Code Select
    # ps fax | grep sw-engine | wc -l
    57
  • The top command shows that sw-cp-server process loads CPU at ~100%:
    Code Select
    PID     USER    PR NI  VIRT   RES    SHR  S  %CPU  %MEM TIME+ COMMAND
    34409 sw-cp-s+  20  0  58860  26840  5080 R  95.7  0.7  15:12.42
    sw-cp-server:worker process
  • There is a large number of network connections to Plesk panel ports from different IP
    addresses:
    Code Select
    # ss -tan state established | grep ":8880\|:8443" | awk '{print
    $4}'| cut -d':' -f1| sort -n | uniq -c | wc -l

Cause
Plesk ports 8443 and 8880 are under a DDoS attack.

Resolution
  • Connect to your Plesk server via SSH.
  • Activate Fail2Ban:
    Code Select
    #plesk bin ip_ban --enable
  • Enable plesk-panel jail - it scans Plesk logs and blocks IP addresses that have failed to log
    in to Plesk after a specified number of attempts.
    Code Select
    #plesk bin ip_ban --enable-jails plesk-panel
  • Enable recidive jail:
    Code Select
    #plesk bin ip_ban --enable-jails recidive
  • Change the number of failures before the IP address is banned from 5 (default) to 3:
    Code Select
    #plesk bin ip_ban --update -max_retries 3
  • Give Fail2Ban several minutes to ban unwanted IP addresses.
Print
Go Up Pages1
User actions