As I don't open SSH any more, I don't see the issue, but there was one
notorious Chinese subnet which did this. The best thing to do is just to
permanently block the whole subnet in your firewall.
I do subnet blocks for one rule in a postfix filter as no one should be
sending mail from a dynamic IP. I use this to block
.dynamic.163data.com.cn and .mari-el.ru IP blocks but this technique is
not really applicable to SSH.
Nick
On 16/06/2020 09:15, Jonathan Aquilina via Fail2ban-users wrote:
I have observed this behaviour on my cpanel shared server I have. In the
beginning this issue seemed to be rather problematic but permanently banning
the ip's has really brought down the number of attacks on my server from when I
started with it.
In terms of your last question I am not sure to be fair.
-----Original Message-----
From: Gary R. Schmidt <[email protected]>
Sent: 16 June 2020 09:55
To: [email protected]
Subject: [Fail2ban-users] Use of rolling /24 addresses
Has anyone else noticed the use of rolling /24 IP addresses to avoid fail2ban
being triggered?
In reviewing my logs I noticed that I was getting a bunch of attempts
from 5.188.211.{14,15,16,17,...}, spread out over a long enough interval
that fail2ban did not see them as a bad actor.
Has anyone else seen the same?
And is there a way to help fail2ban recognise attempts from the same set
of Class C addresses?
Cheers,
Gary B-)
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
