Join Log in
Score:2
Whip avatar Server

Fail2ban partial IP match possible?

cn flag
Whip

My server (Ubuntu 18.04) is getting a lot of spam requests on Postfix. Fail2ban is working but the spammers keep changing the last part of IP and not getting banned. For example,

2021-10-09 09:40:01,260 fail2ban.filter         [790]: INFO    [postfix-sasl] Found 212.70.149.88 - 2021-10-09 09:40:01
2021-10-09 09:40:04,047 fail2ban.filter         [790]: INFO    [postfix-sasl] Found 31.130.184.201 - 2021-10-09 09:40:04
2021-10-09 09:40:08,697 fail2ban.filter         [790]: INFO    [postfix-sasl] Found 31.130.184.182 - 2021-10-09 09:40:08
2021-10-09 09:40:18,922 fail2ban.filter         [790]: INFO    [postfix-sasl] Found 31.130.184.119 - 2021-10-09 09:40:18
2021-10-09 09:40:21,627 fail2ban.filter         [790]: INFO    [postfix-sasl] Found 212.70.149.88 - 2021-10-09 09:40:21

Is there any option to make Fail2ban match the first 3 parts of an IP like match 31.130.184.0/24 and then block all the IPs above as soon as they're encountered?

103
0 + 0
djdomi avatar
za flag
djdomi
subnet support will coming if i understood tge github.com repository of fail2ban
2
Reply
Zareh Kasparian avatar
us flag
Zareh Kasparian
if you are sure you want to drop /24, why handling this via fail2ban. just go for iptables and drop /24. even less memory & cpu is used.
0
Reply
djdomi avatar
za flag
djdomi
zareh i wanna see you 24/7 log monitoring with your explanations ;) i bet aftet 36 hours will be your physical end near
0
Reply
Zareh Kasparian avatar
us flag
Zareh Kasparian
@djdomi either my English is bad, or i don't understand what you exactly mean!!!
0
Reply
Zareh Kasparian avatar
us flag
Zareh Kasparian
also good to have @myname to get a notification on your update :)
0
Reply
Whip avatar
cn flag
Whip
@ZarehKasparian what he means and I concur, I do not intend to block this particular IP. It can be any IP sending malicious requests. I can not keep monitoring the logs and taking actions manually.
1
Reply
djdomi avatar
za flag
djdomi
@ZarehKasparian whip understood what i meant ;) - he wants to avoid staying 24/7 awake to ban any malicious request, and i meant latest after you being 36 hours awake, your physical end (falling a sleep) will be near ;)
0
Reply
Zareh Kasparian avatar
us flag
Zareh Kasparian
@djdomi there is no need for someone to be awake. he/she can write a script to read the logs and get the IP address out of it and automatically block IP via iptables. that simple :)
1
Reply
Whip avatar
cn flag
Whip
Cool idea. Let's call it "Fail2Ban"!
0
Reply
Score:2
djdomi avatar Server
za flag
djdomi

Short Answer:

Fail2ban plans to support banning of Subnets in Version 1.0.

Reference

Bug Report: https://github.com/fail2ban/fail2ban/issues/927

Mile-Stone Report: https://github.com/fail2ban/fail2ban/milestone/17

Curent State:

Its not Official Supported, but could be added manually

0 + 0
djdomi avatar
za flag
djdomi
I would like to add, that if you ban a subnet in the current state, fail2ban will not match that ban currently.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.