On 07/27/2021 05:17 PM, Pete Biggs wrote: > On Tue, 2021-07-27 at 16:43 -0400, H wrote: >>> Running CentOS 7. I was under the impression - seemingly mistaken - >>> that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* >>> would ban all attempts from that network segment to connect to the >>> server, ie before fail2ban would (eventually) ban connection >>> attempts. >> This, however, does not seem correct and I could use a pointer to >> correct my misunderstanding. How is hosts.deny used and what have I >> missed? > hosts.deny is only used by specific programs that use TCP wrappers. It > is not a general "deny this host access". > > Also note that fail2ban operates on individual hosts, not subnets. > >> Is it necessary to run: >> >> iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >> >> to drop incoming connection attempts from that subnet? >> > If you use iptables yes, probably. Firewalld has a specific drop zone > that you can use: > > firewall-cmd --zone=drop --add-source=aaa.bbb.ccc.0/24 > > (with suitable --permanent flag if you want it permanent). > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos Noted, I am using iptables.