I've been using F2B and it works well, but one thing it's not
particularly good at is dealing with patterns of source IP ranges
which are consistently troublesome. (AFAIK)
For example, if you're operating a mail server, and you have no
clients in countries like Brazil, China, Russia, etc., then it seems
like a waste of resources to constantly battle the now
highly-intelligent botnets that work around the fail2ban ruleset. I
know some people tend to want to block entire countries, but I'd
rather identify troublesome ISPs/IP blocks and deal with them in batches.
I'm seeing botnets that operate from hundreds, if not thousands of
distinct IP addresses and spread their brute force and dictionary
attacks out, so they're not triggered by f2b.
The solution to this, in my opinion, is adding an extra layer of protection.
I've been running a mail server online for more than 20 years that is
based around tcp-wrappers and have built up a class a/b/c blacklist
that's not too large, but stops about 90% of the crack
attempts. Unfortunately, the more modern servers don't like to wrap
around hosts.allow/deny and tcpwrappers, so I'm stuck with trying to
come up with something new.
F2B seems to be centered around particular individual IPs, so it
doesn't work to block the troublesome IP ranges. (or am I
wrong? Can I feed f2b IPs and netmasks?)
My research indicates perhaps the best approach would be to employ an
additional permanent blacklist for troublesome IP address
ranges. Has anybody else done this using IPSETS and IPTABLES?
I want to create an IPSET set that contains IP ranges and permanently
ban certain blocks from all ports except http/https. I want another
IPSET/command that i can use to block a specific IP from the server
for all ports (that would be manually set when I encounter specific attacks).
I had been using a special ruleset I created in F2B, but those
require timeouts and seem to only work with single IPs, so I'm
thinking I need to create some scripts that will do this outside of F2B?
Anybody else done something like this? Any advice on the best
approach? Want to share any scripts you've created that can do this?
- Mike
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
