[CentOS] Blocking attacks from a range of IP addresses

Fri Jan 10 07:59:20 UTC 2020
Joakim Dellrud <joakim at dellrud.se>

Hi!
I usually use a primary ssh jail via f2b, ontop of that I have a reapeat
offenders (usually a check on the f2b logs and rotation needs to be
modified) over a long time.

https://wireflare.com/blog/permanently-ban-repeat-offenders-with-fail2ban/
this could be modified to block bigger pieces of the network. Sadly I have
no direct example for you.

A suggestion is to look into for instance the ipsets from firehol. Unless
you have a more targeted attack using blocklists might be a good option.

Thing is, you might be at a point were any automation does more harm then
good. It depends on what your service does. If it is your homelab with port
22 exposed, the just add big blocks or import firehol-1 and 99% of the
attacks will be dropped. If it is a popular website and you are in need of
blocking webbots then more care needs to be taken.

My suggestion is:

Firehol+change ssh port (if that is the service in question)+ssh
tarpit+repeat offenders

Regards




On Thu, Jan 9, 2020, 20:10 Pete Biggs <pete at biggs.org.uk> wrote:

>
> > > >
> > > As far as I can see fail2ban only deals with hosts and not networks - I
> > > suspect the issue is what is a "network": It may be obvious to you
> > > looking at the logs that these are all related, but you run the risk
> > > that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and
> > > 1.2.0.124 may be interpreted as a concerted attack and you banning half
> > > the internet - but that may not be a bad thing :-)
> > >
> >
> > Since you can configure fail2ban to invoke scripts, I would think it
> > would be possible to get it to block CIDRs (variable size subnets, i.e.
> > 12.12.0.0/20).  That said, I don't have a quick and easy implementation
> > on hand.
>
> The OP was looking for an automated way of fail2ban doing it - he had
> already sorted out the network range and had stopped this particular
> DoS attack.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>