A python script that group IPs into network range, to block attacks from a network range address, from CIDR /18 up to /30. (CIDR range now is configurable)
📛 Please be carefull to not block youself!
You may also like this project: fail2ban-netstat-synrecv-flood
Fail2Ban netstat SYN_RECV Flood attack CIDR prevention. This fail2ban filter/jail/script can work toghether with fail2ban-block-ip-range
https://github.com/WKnak/fail2ban-netstat-synrecv-flood
- Check Python version by running
python3 -V
orpython -V
- Check fail2ban version by running
fail2ban-client -V
- Clone the source code to a local folder
cd /usr/local/src
git clone https://github.com/WKnak/fail2ban-block-ip-range.git
cd fail2ban-block-ip-range
- Copy main python script into bin directory
cp fail2ban-block-ip-range.py /usr/bin
- Make it executable
chmod a+x /usr/bin/fail2ban-block-ip-range.py
/usr/bin/fail2ban-block-ip-range.py
Add following extension to /etc/crontab
using crontab -e
command (check the proper user)
*/5 * * * * /usr/bin/fail2ban-block-ip-range.py
*/5 * * * * root /usr/bin/fail2ban-block-ip-range.py
- watch output of cron log (usually
/var/log/cron
) - watch e-mails sent to root (in case of script send something to stdout/stderr)
- Store unit files into /usr/lib/systemd/system/
- Reload systemd with
systemctl daemon-reload
- Run a one-shot for testinger with
systemctl enable fail2ban-block-ip-range.timer
- Check journald with
journalctl -b 0 -u fail2ban-block-ip-range.service
- Enable the timer with
systemctl enable fail2ban-block-ip-range.timer
- Check journald with
journalctl -b 0 -u fail2ban-block-ip-range.timer
Note: output of the script to stdout/stderr will be logged to journald
Fail2Ban is too old, it does not know how to retrieve current status of a banned IP.
Active SELinux can prevent the script from being executed by cron/systemd!
Solution: toggle SELinux to run in permissive mode and create from all the logged events then a policy extension.
Count and IPs found at last 1k lines of fail2ban.log
108 postfix-sasl 45.142.120.135
107 postfix-sasl 45.142.120.62
105 postfix-sasl 45.142.120.99
105 postfix-sasl 45.142.120.93
105 postfix-sasl 45.142.120.192
104 postfix-sasl 45.142.120.87
104 postfix-sasl 45.142.120.60
104 postfix-sasl 45.142.120.209
104 postfix-sasl 45.142.120.200
104 postfix-sasl 45.142.120.133
103 postfix-sasl 45.142.120.180
103 postfix-sasl 45.142.120.149
102 postfix-sasl 45.142.120.59
100 postfix-sasl 45.142.120.215
78 postfix-sasl 45.142.120.57
78 postfix-sasl 45.142.120.11
77 postfix-sasl 45.142.120.82
77 postfix-sasl 45.142.120.20
76 postfix-sasl 45.142.120.63
76 postfix-sasl 45.142.120.34
76 postfix-sasl 45.142.120.138
73 postfix-sasl 45.142.120.65
6 apache-auth 45.150.206.113
3 postfix-sasl 123.30.50.91
2 sshd 5.188.206.204
2 apache-auth 45.150.206.119
2 apache-auth 45.150.206.115
2 apache-auth 45.150.206.114
1 sshd 51.210.127.200
Resulting blocked IP and IP Ranges (above 10 events):
fail2ban-client set postfix-sasl banip 45.142.120.0/24
fail2ban-client set apache-auth banip 45.150.206.112/29