Post AraJrRQViCP6xZp9uK by corsac@mastodon.social
(DIR) More posts by corsac@mastodon.social
(DIR) Post #AraJrRQViCP6xZp9uK by corsac@mastodon.social
2025-02-28T14:26:19Z
0 likes, 0 repeats
Is there a way for fail2ban to watch/ban IP ranges instead of single IPs?There are often multiple bots in subnets trying to abuse services and these days it doesn't really makes sense to ban IP individually I think.
(DIR) Post #AraJrSnabsSXDRd6WG by bortzmeyer@mastodon.gougere.fr
2025-02-28T17:56:12Z
0 likes, 0 repeats
@corsac The problem is that fail2ban cannot know the length of the IP address prefix without doing external requests (RDAP to the RIR or some HTTP query to a BGP info API).
(DIR) Post #AraWhjKrZSg10mslNY by MacLemon@chaos.social
2025-02-28T20:20:02Z
0 likes, 0 repeats
@bortzmeyer @corsac It’s easy to produce broad false positives even with a single IP these days. Thanks to CG-NATv4, blocking a single IPv4 can rid you of a ton of legitimate users.Blocking a whole range can also block many legitimate and innocent users just because a single infected machine is coughing.
(DIR) Post #AraXS6IoVqJPYz2Dpo by bortzmeyer@mastodon.gougere.fr
2025-02-28T20:28:30Z
0 likes, 0 repeats
@MacLemon @corsac Indeed. Should one bad guy rent a VM at a multi-tenant host like DigitalOcean, Hetzner or OVH, you would not want to block users who are just close (in IP addressing terms) from the bad guy.
(DIR) Post #Arfh0uPea40CCXhrKS by corsac@mastodon.social
2025-03-03T08:09:05Z
0 likes, 0 repeats
@bortzmeyer Yes but external requests might not be an issue here (I don't think there's a need to have a complete local DB copy)
(DIR) Post #ArfhAJodVDOVaqsXi4 by corsac@mastodon.social
2025-03-03T08:10:48Z
0 likes, 0 repeats
@bortzmeyer @MacLemon Indeed but it's actually just for my home server so it's not really an issue. I'm used to manually ban whole IP ranges and actually in some cases I'm just adding allowlists for some specific IP ranges where I know my few users will actually be.