Sure - I'd like to see the blocklist.de script.
I figure though with something like that, you're still blocking
individual IPs right? or does blocklist.de include netmasks? I have
over 4000 in one of my aggravated activity blacklist, and I'm
concerned that having too large a list may be too resource intensive?
What I'm thinking I might do, is write some sort of script that
begins to analyze the bot traffic, and identify which network ranges
most of it is coming from, and then help me pick the appropriate IP
ranges to reject. I think I may be able to come up with < 100 ip
ranges that might block 80% of the rogue traffic.
Is anybody cutting out any really big blocks? Like the Chinese class
As? I've done this with relay blacklist to great success but haven't
tried it with iptables and all my ports.
At 12:16 AM 8/3/2019, Jason Tibbitts wrote:
>>>>> "M" == Mike <[email protected]> writes:
M> I'm seeing botnets that operate from hundreds, if not thousands of
M> distinct IP addresses and spread their brute force and dictionary
M> attacks out, so they're not triggered by f2b.
I did get tired of seeing basically thousands of banned IP notices, and
so I moved to the current development code so I could make use of the
progressive ban time growth functionality. So for an ssh server where I
expect people to occasionally flub a password, I ban after a few tries
for five minutes, then five minutes again, then something on the order
of months. I think they'd have to have a much larger set of available
IPs from which to attack if they wanted to be able to actually brute
force any passwords while not doing more than four attempts per day per
host. Especially since they almost never seem to actually try a valid
account name.
But even that leads to a tiring amount of emails about blocking hosts,
so I implemented a simple script to fetch lists from blocklist.de and
cream those in an ipset. I fetch the list every few hours from a
systemd timer unit. That's cut down the amount of blocks I make by
something on the order of 90%. I find that the SSH attack list usually
contains about 8000 addresses.
Note that this is implemented completely independently from fail2ban; I
just call firewall-cmd to add a direct rule (in the same manner that
fail2ban does) and then load the addresses in by calling ipset in a
loop. There's nothing persistent; it's run via a systemd timer and
executes shortly after boot in addition to every few hours.
Of course, to be polite, you may want to also set up the reporting of
attacks you receive to blocklist.de; that's already supported by default
in fail2ban. And I know there's another service that does something
similar, but they seem to want money. blocklist.de works well enough for
me.
The script is unpolished; I only hacked it together last week and never
bothered to polish it. If that's the kind of thing you're looking for,
I can pass it along.
- J<
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
