block a whole IP range with fail2ban – Righters Blog

block a whole IP range with fail2ban – Righters Blog

Author righter16 Comments

Updated on 08.09.16 for Debian Jessie

Fail2Ban is really cool. I use it to block ssh attacks.  But I wanted to block the whole IP range from the attacker.
Some guys don’t think this is a good idea. But in my oppinion it is. It depends on the service which you observer with fail2ban. In my case, I don’t see any problems to block the whole range for SSH. If you use it for protecting your mail server it is definitely not a good idea 🙂

First of all copy the original action to a new one:

cp /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport-range.conf

Create this File which gets the CIDR of the IP (I’ve edited this script, if no inetnum found use the single ip):

Make the file executable

chmod +x /etc/fail2ban/

Change the un/ban actions in the script (Thanks to stephan for a modified version):

nano /etc/fail2ban/action.d/iptables-multiport-range.conf
   actionban = /etc/fail2ban/  | while read PREFIX; do iptables -C fail2ban- -s $PREFIX -j DROP >/dev/null || iptables -I fail2ban- 1 -s $PREFIX -j DROP; done  actionunban = /etc/fail2ban/  | while read PREFIX; do iptables -D fail2ban- -s $PREFIX -j DROP; done  

Change the banaction in jail.conf:

nano /etc/fail2ban/jail.conf
banaction = iptables-multiport-range

Restart fail2ban

/etc/init.d/fail2ban restart

Then you see the whole range will be blocked (in log file you still see the single ip)

2014-12-10 11:56:53,322 fail2ban.actions: WARNING [ssh] Ban
Chain fail2ban-sshx (1 references)  target     prot opt source               destination           DROP       all  --        anywhere              RETURN     all  --  anywhere             anywhere