working on it. some other issues got in the way of testing. -- Ted Buchanan Computer/Network Analyst - Vincennes University tbuchanan@xxxxxxxx From: "Jon LaBadie" <jcu@xxxxxxxxxx> To: "Jon LaBadie" <centos@xxxxxxxxxx> Date: 06/22/2020 04:57 PM Subject: Re: firewall questions Sent by: "CentOS" <centos-bounces@xxxxxxxxxx> On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote: > I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific ip > blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and > 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day. > I installed and configured fail2ban, but still saw a lot of attempts in the > logs, and the ipset created was filling up. > What type of ipset did you create, perhaps hash:ip where individual addresses are listed? If so, consider switching to hash:net which uses CIDR style entries. Individual addresses become 1.2.3.4/32 but blocks can be included with a single entry. My ipset has about 40,000 entries, but covers millions of IP addresses. If you do switch look on the net for a program called "cidrmerge". It takes a list of IP addresses and CIDR networks, sorts them and merges multiple entries into a single network where possible. Jon -- Jon H. LaBadie jcu@xxxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos