[CentOS] Blocking attacks from a range of IP addresses

Thu Jan 9 10:08:55 UTC 2020
Pete Biggs <pete at biggs.org.uk>

> Has anyone created a fail2ban filter for this type of attack? As of
> right now, I have manually banned a range of IP addresses but would
> like to automate it for the future.

As far as I can see fail2ban only deals with hosts and not networks - I
suspect the issue is what is a "network": It may be obvious to you
looking at the logs that these are all related, but you run the risk
that getting denied accesses from, say, and and may be interpreted as a concerted attack and you banning half
the internet - but that may not be a bad thing :-)

What I've done in times of trouble is to be a bit more aggressive in
why and how hosts are banned. It depends on how you are being attacked,
but setting the threshold to 1 or 2 failures resulting in a ban and
then setting the ban time to something fairly short. Repeat offenders
will then quickly be picked up by the recidive filter and permanently

A downside to this is that your firewall filters get very large and
things will inevitably slow down, but it will at least give you the
chance to manually block a whole range but still give you a level of
automated protection.