On 01/09/2020 02:09 PM, Pete Biggs wrote:
>>> As far as I can see fail2ban only deals with hosts and not networks - I
>>> suspect the issue is what is a "network": It may be obvious to you
>>> looking at the logs that these are all related, but you run the risk
>>> that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and
>>> 1.2.0.124 may be interpreted as a concerted attack and you banning half
>>> the internet - but that may not be a bad thing :-)
>>>
>> Since you can configure fail2ban to invoke scripts, I would think it
>> would be possible to get it to block CIDRs (variable size subnets, i.e.
>> 12.12.0.0/20). That said, I don't have a quick and easy implementation
>> on hand.
> The OP was looking for an automated way of fail2ban doing it - he had
> already sorted out the network range and had stopped this particular
> DoS attack.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
Correct. I appreciate all the replies but I used /etc/hosts.deny to deny this network range of attacks. Again, the reason that fail2ban failed to catch it was that the attacks were coming from a wide range of subnet addresses and were only caught by reviewing the log.
It would be nice, however, to have a fail2ban expression that allowed me to catch the /16 range of addresses needed here.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
