I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off of a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
On Wed, Jan 8, 2020 at 5:37 PM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off of a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Tough one.
Not the solution you’re looking for, but until you have a solution, block the whole range in iptables.
I have experience block DDoS atacks. Contac White me in prived. If you have intereses.
El mié., 8 ene. 2020 8:45 p. m., Keith Christian keith1christian@gmail.com escribió:
On Wed, Jan 8, 2020 at 5:37 PM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off
of
a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Tough one.
Not the solution you’re looking for, but until you have a solution, block the whole range in iptables. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Wed, Jan 8, 2020 at 7:06 PM one_Person_on_the_World daycom021@gmail.com wrote:
I have experience block DDoS atacks. Contac White me in prived. If you have intereses.
El mié., 8 ene. 2020 8:45 p. m., Keith Christian < keith1christian@gmail.com> escribió:
On Wed, Jan 8, 2020 at 5:37 PM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of
the
IP address remain identical but the last two parts vary sufficiently
that
it is not caught by fail2ban since the attempts do not meet the cut-off
of
a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of
right
now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Tough one.
Not the solution you’re looking for, but until you have a solution, block the whole range in iptables. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/ https://lists.centos.org/mailman/listinfo/centos
one_Person_on_the_World,
Contact the original poster. I replied to him.
I write my own firewall rules etc. But thank you for the offer.
On Thu, Jan 9, 2020 at 6:07 AM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off of a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
I am not an expert but, you can try creating an ipset with the the range you need and do a drop in iptables or firewalld. We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS 7. fail2ban also uses ipsets in CentOS 7.
thanks -- Lee
Hi,
You can drop it before FW with blackhole route.
DH
čt 9. 1. 2020 v 7:21 odesílatel Thomas Stephen Lee lee.iitb@gmail.com napsal:
On Thu, Jan 9, 2020 at 6:07 AM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off
of
a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
I am not an expert but, you can try creating an ipset with the the range you need and do a drop in iptables or firewalld. We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS 7. fail2ban also uses ipsets in CentOS 7.
thanks
Lee _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Thu, Jan 09, 2020 at 11:49:59AM +0530, Thomas Stephen Lee wrote:
On Thu, Jan 9, 2020 at 6:07 AM H agents@meddatainc.com wrote:
I am being attacked by an entire subnet where the first two parts of the IP address remain identical but the last two parts vary sufficiently that it is not caught by fail2ban since the attempts do not meet the cut-off of a certain number of attempts within the given time.
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
I am not an expert but, you can try creating an ipset with the the range you need and do a drop in iptables or firewalld. We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS 7. fail2ban also uses ipsets in CentOS 7.
Ditto, both in C6 and C7.
jl
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
What I've done in times of trouble is to be a bit more aggressive in why and how hosts are banned. It depends on how you are being attacked, but setting the threshold to 1 or 2 failures resulting in a ban and then setting the ban time to something fairly short. Repeat offenders will then quickly be picked up by the recidive filter and permanently banned.
A downside to this is that your firewall filters get very large and things will inevitably slow down, but it will at least give you the chance to manually block a whole range but still give you a level of automated protection.
P.
On 1/9/20 2:08 AM, Pete Biggs wrote:
Has anyone created a fail2ban filter for this type of attack? As of right now, I have manually banned a range of IP addresses but would like to automate it for the future.
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
What I've done in times of trouble is to be a bit more aggressive in why and how hosts are banned. It depends on how you are being attacked, but setting the threshold to 1 or 2 failures resulting in a ban and then setting the ban time to something fairly short. Repeat offenders will then quickly be picked up by the recidive filter and permanently banned.
A downside to this is that your firewall filters get very large and things will inevitably slow down, but it will at least give you the chance to manually block a whole range but still give you a level of automated protection.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
One thing that has proven useful to me in dealing with these kind of attacks is to lookup the route for the specified IP address in the Internet routing tables and then block the entire CIDR block. You can also determine which autonomous system (AS number) the attack is coming from and block other routes owned by that provider. Other options include determining the GEOIP location, i.e. country of origin of the attacks and block by country.
"whois 12.12.12.12" will also provide useful information about the CIDR block that you are dealing with.
To look up routes on the Internet, connect to one of the route views servers, such as this:
$ telnet route-server.ip.att.net
Follow login instructions provided in login banner, then give the command:
show route 12.12.12.12
and it will show you that this IP is part of the larger cidr block 12.12.0.0/20. So block 12.12.0.0/20 instead of just one IP (assuming your attacks are coming from a particular block.
You'll have to consider weather the cidr block that you are considering blocking will impact your users or not.
The att route-server is a juniper. Some route servers are Cisco's and there you would use commands like:
show ip route 12.12.12.12
or
show ip bgp 12.12.12.12
An example of a cisco based route server would be to:
telnet route-views.routeviews.org
http://routeviews.org/ lists a bunch of route views servers down near the bottom, which appear to be accessable by telnet. Note, quagga based route servers are open source immitations of the Cisco command interface and have similar commands to the cisco's.
Nataraj
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack.
P.
Hi! I usually use a primary ssh jail via f2b, ontop of that I have a reapeat offenders (usually a check on the f2b logs and rotation needs to be modified) over a long time.
https://wireflare.com/blog/permanently-ban-repeat-offenders-with-fail2ban/ this could be modified to block bigger pieces of the network. Sadly I have no direct example for you.
A suggestion is to look into for instance the ipsets from firehol. Unless you have a more targeted attack using blocklists might be a good option.
Thing is, you might be at a point were any automation does more harm then good. It depends on what your service does. If it is your homelab with port 22 exposed, the just add big blocks or import firehol-1 and 99% of the attacks will be dropped. If it is a popular website and you are in need of blocking webbots then more care needs to be taken.
My suggestion is:
Firehol+change ssh port (if that is the service in question)+ssh tarpit+repeat offenders
Regards
On Thu, Jan 9, 2020, 20:10 Pete Biggs pete@biggs.org.uk wrote:
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 01/09/2020 02:09 PM, Pete Biggs wrote:
As far as I can see fail2ban only deals with hosts and not networks - I suspect the issue is what is a "network": It may be obvious to you looking at the logs that these are all related, but you run the risk that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and 1.2.0.124 may be interpreted as a concerted attack and you banning half the internet - but that may not be a bad thing :-)
Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand.
The OP was looking for an automated way of fail2ban doing it - he had already sorted out the network range and had stopped this particular DoS attack.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Correct. I appreciate all the replies but I used /etc/hosts.deny to deny this network range of attacks. Again, the reason that fail2ban failed to catch it was that the attacks were coming from a wide range of subnet addresses and were only caught by reviewing the log.
It would be nice, however, to have a fail2ban expression that allowed me to catch the /16 range of addresses needed here.
-
David Hrbáč -
H -
Joakim Dellrud -
Jon LaBadie -
Keith Christian -
Nataraj -
one_Person_on_the_World -
Pete Biggs -
Thomas Stephen Lee