On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike <t...@rohms.com> [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know that with
ipset you can blacklist subnets but if it isn't a certain list:hash type it
will expand the subnet into an array of individual IP addresses.
If F2B can now handle subnets as single entries, that would be really cool.
I am using a separate system (login-shield) for that very effectively.
create blacklist hash:net family inet hashsize 4096 maxelem 65536
handles subnets, ie:
110.153.0.0/16
186.29.182.0/24
45.155.126.0/24
123.5.0.0/16
179.43.140.0/24
178.128.0.0/16
89.248.165.0/24
185.142.236.0/24
45.141.87.0/24
40.73.0.0/16
ipset add blacklist 110.153.0.0/16
So how do you determine the subnet to block?
What I did for subnets was create an
/etc/fail2ban/action.d/iptables-ipset-proto6-subnet.conf based on
/etc/fail2ban/action.d/iptables-ipset-proto6.conf and in it actionstart is:
actionstart = ipset create <ipmset> hash:net timeout
<default-timeout><familyopt>
<iptables> -I <chain> -p <protocol> -m multiport --dports
<port> -m set --match-set <ipmset> src -j <blocktype>
and actionban is:
actionban = ipset add <ipmset> <ip>/24 timeout <bantime> -exist
actionunban was:
actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
which I've notices is probably wrong and I've just tried changing it to:
actionban = ipset add <ipmset> <ip>/24 timeout <bantime> -exist
Either way it would unban. The first way would probably rely on the
ipset rule timing out.
it is a bit Mickey Mouse but it always bans a /24 subnet aorund the IP
fed to it.
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
