Fail2Ban - block complete IP ranges?

thorsten · October 26, 2018, 9:29am

NethServer Version: 7.5
Module: fail2ban

Hi,

my server encounters of course some hacker attackes. Most attacks are based on recidive or postfix-ddos. Fail2ban blocks attacks as expected. 2-3 attackes per day - some more during weekends - a spare time hacker - are located in same IP Range / Provider (Litausia 185.36.81.x) or similar. I guess this is a VPN provider.

I do not expect any “regular server activities” from that area / provider. Can I block IPs using Fail2Ban? Can I tell Fail2Ban not only to block the specific IP but the complete range?

TIA
Thorsten

GG_jr · October 26, 2018, 9:42am

Hi @thorsten ,

I don’t know if is possible, @stephdl knows better and I am sure he will answer asap, but I think if you will enable “Recidive jail is perpetual”, after a while, you will obtain the same result.

Another way could be to create a rule on firewall, as 1st rule, to block or reject the entire IP range.

BR,
Gabriel

stephdl · October 26, 2018, 6:14pm

Hi mates

If you know the IP range, the best way is to use the firewall, after that the geoIP could be used with shorewall https://tech.feedyourhead.at/content/shorewall-setup-geo-ip-filtering

But, but I tend to be pragmatic and let fail2ban works, find, ban, find several time and go to recidive for 7*bantime iirc

thorsten · October 28, 2018, 7:46pm

Hi Stephdl,

Thanks for your idea, in generall I think so, too. However it takes quite a long time until an attackes comes from the same IP if at all. As fail2ban reports the provider and IP range I was asking if it would not be more interestingt to block the IP range instead the single IP…

Best regards
Thorsten