Hello Mike, I’m not sure if this answers your questions but I actually wrote one scripts that take my f2b database and then, based on some analysis by me, will add problematic subnets to a blacklist. In order to keep things efficient, I have my blacklist checked prior to any of the f2b rules. In addition, I log all of my blacklist hits so I can keep track of how much it is being hit and therefore, its effectiveness...
> On Aug 2, 2019, at 11:18 AM, Mike <[email protected]> wrote: > > I've been using F2B and it works well, but one thing it's not particularly > good at is dealing with patterns of source IP ranges which are consistently > troublesome. (AFAIK) > > For example, if you're operating a mail server, and you have no clients in > countries like Brazil, China, Russia, etc., then it seems like a waste of > resources to constantly battle the now highly-intelligent botnets that work > around the fail2ban ruleset. I know some people tend to want to block entire > countries, but I'd rather identify troublesome ISPs/IP blocks and deal with > them in batches. > > I'm seeing botnets that operate from hundreds, if not thousands of distinct > IP addresses and spread their brute force and dictionary attacks out, so > they're not triggered by f2b. > > The solution to this, in my opinion, is adding an extra layer of protection. > > I've been running a mail server online for more than 20 years that is based > around tcp-wrappers and have built up a class a/b/c blacklist that's not too > large, but stops about 90% of the crack attempts. Unfortunately, the more > modern servers don't like to wrap around hosts.allow/deny and tcpwrappers, so > I'm stuck with trying to come up with something new. > > F2B seems to be centered around particular individual IPs, so it doesn't work > to block the troublesome IP ranges. (or am I wrong? Can I feed f2b IPs and > netmasks?) > > My research indicates perhaps the best approach would be to employ an > additional permanent blacklist for troublesome IP address ranges. Has > anybody else done this using IPSETS and IPTABLES? > > I want to create an IPSET set that contains IP ranges and permanently ban > certain blocks from all ports except http/https. I want another > IPSET/command that i can use to block a specific IP from the server for all > ports (that would be manually set when I encounter specific attacks). > > I had been using a special ruleset I created in F2B, but those require > timeouts and seem to only work with single IPs, so I'm thinking I need to > create some scripts that will do this outside of F2B? > > Anybody else done something like this? Any advice on the best approach? > Want to share any scripts you've created that can do this? > > - Mike > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
