IP in the network 0.0.0.0/8 are banned

stephdl (Stéphane de Labrusse) 2018-05-08 12:25:18 UTC #1

With nethserver-fail2ban installed I can see that some IPs are banned (launch fail2ban-listban) but not by fail2ban because I cannot find something in logs

these IP are for example

0.169.138.200
0.16.244.71
0.169.138.200

following this, these IP should not be used -> https://superuser.com/questions/388056/where-are-addresses-from-the-network-0-0-0-0-8-used-in-practice

I do not understand who blocked these IP, it seems it is not fail2ban…or we have a bug

how to gather information on the fail2ban work

db fail2ban show BLOCKED_IP   #should give back information (how many ban and last ban)
grep -srni 'xxx\.xxx\.xxx\.xxx' /var/log    # should give back any reference to this IP

You can find this strange IP by comparing fail2ban-client status jailName (or fail2ban-listban) and shorewall show dynamic

stephdl (Stéphane de Labrusse) 2018-05-10 07:19:44 UTC #2

for those who have fail2ban installed, can you check if you have these kind of IP blocked please

robb (Rob Bosch) 2018-05-10 09:26:48 UTC #3

In fail2ban logs I don’t have any ip’s listed in 0.0.0.0/8 subnet
From the thread you linked:
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

[2]0.0.0.0/8 reserved for self-identification [RFC1122], section 3.2.1.3.
Reserved by protocol. For authoritative registration, see [IANA registry iana-ipv4-special-registry].

/devils advocate mode: could this get abused in any way? Looks like it is intended for identification purposes.

stephdl (Stéphane de Labrusse) 2018-05-10 19:03:55 UTC #4

yes these IP should be never used but I do not understand what services banned them, Fail2ban makes log of everything and bans from logs reading, so definitively I must find traces

pnemenz 2018-05-11 05:55:04 UTC #5

I checked. there are no such strange IP’s blocked at my Servers.