I've shifted to using ipsets directly with fail2ban, without any code to identify whole bad IP blocks such as you've done, although I do think it's astonishing that so _many_ black-hat IP source addresses are showing up yet no-one seems to be in a position to track them down and put a stop to it (naive, I know :-(.
Since IP addresses are being used in rotation, I have to have the relevant filters configured for only one fetch of a non-existent page to trigger blacklisting. My configuration has stablised at about 2.4 _million_ IPv4 and 660,000 IPv6 bad addresses, being flushed about every 10 days and then refilled by f2b. Using ipset and managing it separately avoids the huge cost of flushing fail2ban itself, but I still see one f2b thread running pretty much continuously. I started writing up my setup in order to share it, but other tasks got in the way, I'll try to get back to that... ht -- Henry S. Thompson _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
