>> Check out this message: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724274#25 >> >> It sounds like I can just edit action.d/iptables.conf like this: >> >> old: >> actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> >> new: >> actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype> >> >> and it will ban the entire subnet instead of just the IP. Am I >> reading that right? > > Yes, that's correct. > > The only shortcoming is that this aggregates the "action" but not > the "condition". Let's say you're being scanned by 10 IPs, > a.b.c.10, a.b.c.11, ..., a.b.c.19, and you have "maxretry = 10". > > The rule won't fire until one of those IPs hits you 10 times (within > findtime). So if they are slow enough, they might get in almost > 100 probes before this rule fires and blocks all of them. Or in the > worst case, it's slow enough that none of them hit 10 times in > findtime.
You're right. I didn't think that all the way through. - Grant ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
