Bug#724274: fail2ban: Please add ability to ban whole IP ranges
Control: fixed -1 0.11.2-2 This is already possible as follows Add action.d/iptables-multiport24.conf: # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning # Modified by Mike Gerber to ban a whole /24 net # [INCLUDES] before = iptables-multiport.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = -I f2b- 1 -s /24 -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = -D f2b- -s /24 -j Then, in jail.local e.g.: [postfix-sasl] enabled = true banaction = iptables-multiport24 [dovecot] enabled = true banaction = iptables-multiport24
Bug#724274: fail2ban: Please add ability to ban whole IP ranges
Package: fail2ban Severity: wishlist Tags: upstream Hello, for a few days now my private e-mail server is suffering ssh login attempts from a rather narrow range of IP addreses that are (apparently) all located in China. That is, once one IP is blocked by fail2ban, the attacks continue from another IP of that range shortly thereafter. Would it be possible to broaden the ban rule to ban a whole IP range (say, the 512 surrounding IP addresses) around an offending IP at once? Best regards, - Fabian -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (990, 'stable'), (900, 'unstable'), (700, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#724274: fail2ban: Please add ability to ban whole IP ranges
Hi Fabian, we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like. here is my reply on fail2ban-users Date: Wed, 7 Aug 2013 12:57:54 -0400 From: Yaroslav Halchenko li...@onerussian.com To: fail2ban-us...@lists.sourceforge.net Subject: Re: [Fail2ban-users] a more agressive ban of the whole class c? well -- probably I should have added that you can always to customize your action file to ban whole networks: # iptables -I INPUT 1 -s 1.2.3.4/24 -j DROP # iptables -L -n -v | head Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 1.2.3.0/24 0.0.0.0/0 On Mon, 23 Sep 2013, Fabian Greffrath wrote: Package: fail2ban Severity: wishlist Tags: upstream Hello, for a few days now my private e-mail server is suffering ssh login attempts from a rather narrow range of IP addreses that are (apparently) all located in China. That is, once one IP is blocked by fail2ban, the attacks continue from another IP of that range shortly thereafter. Would it be possible to broaden the ban rule to ban a whole IP range (say, the 512 surrounding IP addresses) around an offending IP at once? Best regards, - Fabian -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#724274: fail2ban: Please add ability to ban whole IP ranges
Hi Yaroslav, thanks for your prompt reply! Am Montag, den 23.09.2013, 09:07 -0400 schrieb Yaroslav Halchenko: we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like. So you mean that I should just add /24 to the ip placeholder in the actionban line in /etc/fail2ban/action.d/iptables-multiport.conf ? - Fabian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#724274: fail2ban: Please add ability to ban whole IP ranges
On Mon, 23 Sep 2013, Fabian Greffrath wrote: thanks for your prompt reply! Am Montag, den 23.09.2013, 09:07 -0400 schrieb Yaroslav Halchenko: we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like. So you mean that I should just add /24 to the ip placeholder in the actionban line in /etc/fail2ban/action.d/iptables-multiport.conf ? yes! but better not modify existing one but copy to a new one, modify and then adjust your banaction in jail.local, e.g. cat /etc/fail2ban/jail.local [DEFAULT] banaction = iptables-multiport24 smth like that ;) -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org