On Thu, Jan 9, 2020 at 6:07 AM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off of a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
I am not an expert but, you can try creating an ipset with the the range you need and do a drop in iptables or firewalld. We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS 7. fail2ban also uses ipsets in CentOS 7.
thanks -- Lee