On 10/12/2021 16:18, Patrick Shanahan wrote:
* fail2ban <fail2ban-users@lists.sourceforge.net> [12-10-21 03:56]:
On 10/12/2021 03:23, Patrick Shanahan wrote:
* Mike <t...@rohms.com> [12-09-21 19:56]:
Thank you, I updated to 0.11.2-3 and will see if subnet bans stick.
That may be a function of the type of IPSET list created. I know that with
ipset you can blacklist subnets but if it isn't a certain list:hash type it
will expand the subnet into an array of individual IP addresses.
If F2B can now handle subnets as single entries, that would be really cool.
I am using a separate system (login-shield) for that very effectively.
create blacklist hash:net family inet hashsize 4096 maxelem 65536
handles subnets, ie:
110.153.0.0/16
186.29.182.0/24
45.155.126.0/24
123.5.0.0/16
179.43.140.0/24
178.128.0.0/16
89.248.165.0/24
185.142.236.0/24
45.141.87.0/24
40.73.0.0/16
ipset add blacklist 110.153.0.0/16
So how do you determine the subnet to block?
If from China, I block 0/16 on *any* dubious report which implies an
unauthorized attempt.
everywhere else, I block 0/24 on the second addr in the same 0/24
40.72.0/16
45.141.87.0/24
...
Either way it would unban. The first way would probably rely on the ipset
rule timing out.
I do not "unban". :)
So you're doing it all manually? If so, just maintain your own ipset
list and your own firewall rules.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
