Hi! I usually use a primary ssh jail via f2b, ontop of that I have a reapeat offenders (usually a check on the f2b logs and rotation needs to be modified) over a long time.
https://wireflare.com/blog/permanently-ban-repeat-offenders-with-fail2ban/ this could be modified to block bigger pieces of the network. Sadly I have no direct example for you.
A suggestion is to look into for instance the ipsets from firehol. Unless you have a more targeted attack using blocklists might be a good option.
Thing is, you might be at a point were any automation does more harm then good. It depends on what your service does. If it is your homelab with port 22 exposed, the just add big blocks or import firehol-1 and 99% of the attacks will be dropped. If it is a popular website and you are in need of blocking webbots then more care needs to be taken.
My suggestion is:
Firehol+change ssh port (if that is the service in question)+ssh tarpit+repeat offenders
Regards
On Thu, Jan 9, 2020, 20:10 Pete Biggs pete@biggs.org.uk wrote:
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos