My fundamental reason for blacklists is to reduce log noise. Without them,
I get about 30-50 messages of probes a day from China, Russia, Amazon, and
Digital Ocean. (I maintain separate block lists for those two cloud
providers. Amazon publishes its net blocks but DO has to be gathered using
3rd party sources.) I update the NonUS list about once a month when I
notice more fail2ban emails. My users rarely leave the US but they do
vacation around the country and may post from a corporate site that's in of
of the big class A's or B's.
The main service I leave open is http/https, mainly because LetsEncrypt
queries could come from anywhere. So I still see probes for vulnerabilities
in various web apps in my fail2ban traffic.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
