Setting Up Real-Time Log Monitoring for Suspicious Traffic on Plesk Servers

Last Reviewed and Updated on October 10, 2024

1. Introduction

In today’s hosting environment, malicious bots and attackers constantly probe servers for vulnerabilities. On a Plesk server, real-time log monitoring is one of the most effective ways to detect suspicious traffic before it escalates into a security incident.

This guide walks through how to set up real-time log monitoring on a Plesk server using Fail2Ban, GoAccess, and custom Bash scripts. These tools help you stay alert, visualize traffic, and act immediately on anomalies.

2. Log Files of Interest on a Plesk Server

Before implementing monitoring tools, it’s important to know which logs to watch:

• Apache/Nginx logs:
  • /var/www/vhosts/*/logs/access_log
  • /var/www/vhosts/*/logs/error_log
  • /var/log/httpd/access_log (depending on OS)
• Plesk panel logs: /var/log/plesk/panel.log
• Authentication logs: /var/log/secure or /var/log/auth.log
• Fail2Ban logs: /var/log/fail2ban.log
• Mail logs: /var/log/maillog or /var/log/mail.log

3. Tools for Real-Time Monitoring

3.1 Fail2Ban

Fail2Ban scans logs for regex-defined patterns and blocks IPs that match them. It’s highly customizable and lightweight.

• Install: yum install fail2ban or apt install fail2ban
• Enable jails: /etc/fail2ban/jail.local
• Example jail for Plesk login abuse:

  [plesk-login]
  enabled = true
  filter = plesk-login
  logpath = /var/log/plesk/panel.log
  maxretry = 5
  bantime = 3600

3.2 GoAccess

GoAccess provides a live dashboard of web traffic and log insights.

• Install: apt install goaccess or compile from source.
• Run in real-time:

  goaccess /var/www/vhosts/domain/logs/access_log -o /var/www/html/report.html --log-format=COMBINED --real-time-html

• Open http://yourserver/report.html (protect with HTTP auth or VPN).

3.3 Custom Bash Scripts

Use Bash for tailored monitoring scenarios.

Example: Detect repeated 404 errors from the same IP:

#!/bin/bash
tail -Fn0 /var/www/vhosts/domain/logs/access_log | while read line; do
  echo "$line" | grep ' 404 ' | awk '{print $1}' | while read ip; do
    echo "$(date): $ip requested a missing page" >> /var/log/botwatch.log
  done
done

4. Putting It Together: A Real-World Setup

1. Use Fail2Ban for active blocking.
2. GoAccess for real-time traffic visualization.
3. Scripts for specific detection not covered by other tools.

Structure them using systemd services or screen/tmux to keep running.

5. Sample Configurations & Scripts

Fail2Ban filter for 404 floods

/etc/fail2ban/filter.d/nginx-404.conf:

[Definition]
failregex = <HOST> -.*"(GET|POST).*HTTP.*" 404

Systemd service for bash script

[Unit]
Description=Custom Bot Watcher
After=network.target

[Service]
ExecStart=/usr/local/bin/botwatch.sh
Restart=always

[Install]
WantedBy=multi-user.target

6. Monitoring & Response Workflow

• Daily: Check GoAccess or tail logs.
• Weekly: Review Fail2Ban ban lists.
• On alert: Inspect log excerpts and take manual action.

Optional: Use Slack webhooks or Telegram bots for instant alerts.

7. Performance Considerations

• Use log rotation (logrotate) to prevent disk issues.
• Avoid overly aggressive regex in Fail2Ban.
• Test scripts in non-production first.

8. Security Best Practices

• Always restrict access to dashboards.
• Limit script permissions (chmod 700).
• Retain logs only as long as needed.

9. Conclusion

Real-time log monitoring equips you with the tools to detect and stop threats quickly. In a Plesk environment, combining Fail2Ban, GoAccess, and custom scripting gives sysadmins a powerful toolkit to stay proactive.

These techniques are just one part of a broader hardening strategy — consider integrating them with your ServerGuardian setup.

10. Citations & References

• Fail2Ban Documentation
• GoAccess Official Site
• Plesk Linux Log Locations
• Slack Incoming Webhooks
• Telegram Bot API