Comment by kevin_thibedeau
11 hours ago
I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects.
11 hours ago
I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects.
I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24.
Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!
P.S. I wholeheartedly support your choice of blocking for your reasons.
> bunch of organisations that just probe the entire IPv4 range on a regular basis
Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up:
https://raw.githubusercontent.com/UninvitedActivity/Uninvite...
#2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright.
In my servers I dont have IPv4 at all, just IPv6 only.
On the plus side, it does not waste CPU cycles used to block unwanted IPv4 traffic.
> trying to map it for 'security' purposes.
Yes. Fucking censys and internet-measurement and the predatory "opt-out" of scans. What about opting-in to scan my website? Fuck you, i'm blocking you forever
Sounds like a great idea until you ever try to connect to your own servers from a network with spammy neighbors.
Back in the day - port knocking was a perfect fit for this eventuality.
Nowadays, wireguard would probably be a better choice.
(both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")
Good network admins have contingencies for contingencies for contingencies.