* fail2ban <fail2ban-users@lists.sourceforge.net> [12-10-21 03:56]: > > > On 10/12/2021 03:23, Patrick Shanahan wrote: > > > > * Mike <t...@rohms.com> [12-09-21 19:56]: > > > > > > > > > > > Thank you, I updated to 0.11.2-3 and will see if subnet bans stick. > > > > > > That may be a function of the type of IPSET list created. I know that > > > with > > > ipset you can blacklist subnets but if it isn't a certain list:hash type > > > it > > > will expand the subnet into an array of individual IP addresses. > > > > > > If F2B can now handle subnets as single entries, that would be really > > > cool. > > > I am using a separate system (login-shield) for that very effectively. > > > > create blacklist hash:net family inet hashsize 4096 maxelem 65536 > > handles subnets, ie: > > 110.153.0.0/16 > > 186.29.182.0/24 > > 45.155.126.0/24 > > 123.5.0.0/16 > > 179.43.140.0/24 > > 178.128.0.0/16 > > 89.248.165.0/24 > > 185.142.236.0/24 > > 45.141.87.0/24 > > 40.73.0.0/16 > > > > ipset add blacklist 110.153.0.0/16 > > > So how do you determine the subnet to block?
If from China, I block 0/16 on *any* dubious report which implies an unauthorized attempt. everywhere else, I block 0/24 on the second addr in the same 0/24 40.72.0/16 45.141.87.0/24 ... > Either way it would unban. The first way would probably rely on the ipset > rule timing out. I do not "unban". :) -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc What sort of day was it? A day like all days, filled with those events that alter and illuminate our times... _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
