On Tue, Dec 13, 2016 at 10:42:05AM -0800, Grant wrote: > > In my understanding, fail2ban only collects stats on individual IPs. > > I have seen suggestions to change the action to block the entire > > /24 for a bad IP in some situations. That sort of helps, but doesn't > > help aggregate the "hits" on the jails in the first place. > > > > Here are a couple of other posts on the subject: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724274 > > > Check out this message: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724274#25 > > It sounds like I can just edit action.d/iptables.conf like this: > > old: > actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> > new: > actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype> > > and it will ban the entire subnet instead of just the IP. Am I > reading that right?
Yes, that's correct. The only shortcoming is that this aggregates the "action" but not the "condition". Let's say you're being scanned by 10 IPs, a.b.c.10, a.b.c.11, ..., a.b.c.19, and you have "maxretry = 10". The rule won't fire until one of those IPs hits you 10 times (within findtime). So if they are slow enough, they might get in almost 100 probes before this rule fires and blocks all of them. Or in the worst case, it's slow enough that none of them hit 10 times in findtime. I don't think aggregating the IPs on the "condition" side is supported in f2b yet (not sure if it's on the roadmap or not). Mark > > - Grant > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
