I ban /24 subnets in a postfix jail where there is no reverse DNS (PTR)
record. Typically this is for users on dynamic IP's, so if one is
dynamic or has no PTR record I assume the whole /24 subnet is the same.
I also throw into this any /24 subnet from dynamic.163data.com.cn as
they are dynamic but have a PTR record and are a PITA.
To do this I use an ipset jail with a type hash:net and feed it the
<host>/24, and I rely on ipset controlling the timeout so there is no
actionunban.
Nick
On 04/06/2019 16:39, Andy Howell wrote:
The attackers I see are persistent. When the ban expires, they
continue their attack.
I would like to have an escalating ban time for repeat offenders.
Another factor that could play into it is the number of attacking
hosts from the same ISP. Having the ban time be a bit of python code
instead of an integer would allow flexible methods for determining ban
time. Yet another factor could be the history of attack from an ISP.
Bad ISPs would be banned longer. Any thoughts on this?
Today I see 19 hosts from:
GB 45.13.39.0/24
HK 45.125.65.0/24
IE 185.234.216.0/24
IE 185.234.218.0/24
LT 141.98.10.0/24
LT 185.36.81.0/24
NL 185.137.111.0/24
NL 185.222.209.0/24
No Chinese today. Usually they are predominate.
Thanks,
Andy
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
