On 01/09/2020 02:09 PM, Pete Biggs wrote: >>> As far as I can see fail2ban only deals with hosts and not networks - I >>> suspect the issue is what is a "network": It may be obvious to you >>> looking at the logs that these are all related, but you run the risk >>> that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and >>> 1.2.0.124 may be interpreted as a concerted attack and you banning half >>> the internet - but that may not be a bad thing :-) >>> >> Since you can configure fail2ban to invoke scripts, I would think it >> would be possible to get it to block CIDRs (variable size subnets, i.e. >> 12.12.0.0/20). That said, I don't have a quick and easy implementation >> on hand. > The OP was looking for an automated way of fail2ban doing it - he had > already sorted out the network range and had stopped this particular > DoS attack. > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos Correct. I appreciate all the replies but I used /etc/hosts.deny to deny this network range of attacks. Again, the reason that fail2ban failed to catch it was that the attacks were coming from a wide range of subnet addresses and were only caught by reviewing the log. It would be nice, however, to have a fail2ban expression that allowed me to catch the /16 range of addresses needed here.