On 01/09/2020 02:09 PM, Pete Biggs wrote:
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Correct. I appreciate all the replies but I used /etc/hosts.deny to deny this network range of attacks. Again, the reason that fail2ban failed to catch it was that the attacks were coming from a wide range of subnet addresses and were only caught by reviewing the log.
It would be nice, however, to have a fail2ban expression that allowed me to catch the /16 range of addresses needed here.