[CentOS] Blocking attacks from a range of IP addresses

Sun Jan 12 21:17:56 UTC 2020
H <agents at meddatainc.com>

On 01/09/2020 02:09 PM, Pete Biggs wrote:
>>> As far as I can see fail2ban only deals with hosts and not networks - I
>>> suspect the issue is what is a "network": It may be obvious to you
>>> looking at the logs that these are all related, but you run the risk
>>> that getting denied accesses from, say, and and
>>> may be interpreted as a concerted attack and you banning half
>>> the internet - but that may not be a bad thing :-)
>> Since you can configure fail2ban to invoke scripts, I would think it
>> would be possible to get it to block CIDRs (variable size subnets, i.e.
>>  That said, I don't have a quick and easy implementation
>> on hand.
> The OP was looking for an automated way of fail2ban doing it - he had
> already sorted out the network range and had stopped this particular
> DoS attack. 
> P.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Correct. I appreciate all the replies but I used /etc/hosts.deny to deny this network range of attacks. Again, the reason that fail2ban failed to catch it was that the attacks were coming from a wide range of subnet addresses and were only caught by reviewing the log.

It would be nice, however, to have a fail2ban expression that allowed me to catch the /16 range of addresses needed here.