Ban C Class networks / C-Class-recidive #953

szepeviktor · 2015-02-11T08:29:16Z

# select first 2 octets of IP-s
# sort by number of occurrences
# TOP10
sqlite3 fail2ban.sqlite3 'select ip from bans;'|cut -d'.' -f1-3 \
    |sort -n|uniq -c|sort -n \
    |tail

Is it a good idea to ban the whole C Class after N bans in it?

The text was updated successfully, but these errors were encountered:

szepeviktor · 2015-02-11T08:30:07Z

My output is

      9 46.174.67
     10 85.195.91
     11 46.118.29
     11 92.63.88
     13 212.129.63
     15 31.204.130
     18 94.23.33
     23 188.40.141
     23 46.105.113
     26 193.104.41

I would set N to 20, that is an 8% density.

szepeviktor · 2015-02-11T08:31:09Z

Could it be implemented as 1 sqlite query?

leeclemens · 2015-02-11T23:46:14Z

@szepeviktor Members of a class C network may not be from the same country - so I think this is not a good idea in practice. What correlation is there between one IP being banned and every other IP in the same class C network (other than being in the same class C network, obviously)?

szepeviktor · 2015-02-11T23:50:49Z

Here I read that a class C network has 256 IP-s, so 1.2.3.*. Have you seen a C class that spreads over two countries?

szepeviktor · 2015-02-11T23:51:54Z

BTW. You may keep this limit at 100 to be sure it is a botnet.

leeclemens · 2015-02-12T00:02:48Z

Yes, that is what a class C address is - if classful networking was still used (see below).

RIR's are responsible for multiple countries - and can (and do) allocate networks to different countries which are both subsets of the same /24 network (e.g. a /25 to an ISP in Germany and the other /25 to an ISP in Ukraine).

There is no basis for what you are attempting to do, so I don't think it matters what limit or threshold - as associating all members of the /24 is flawed logic from the start.

I was using "class C network" as a general term for a /24 network.

From the wikipedia article you cited:
"Classful networking was replaced by Classless Inter-Domain Routing (CIDR), starting in 1993 with the specification of RFC 1518 and RFC 1519...."

szepeviktor · 2015-02-12T00:03:09Z

Sorry! http://bgp.he.net/ip/193.251.160.151#_whois -> GP
http://bgp.he.net/ip/193.251.160.155#_whois -> FR

szepeviktor · 2015-02-12T00:05:44Z

Because fail2ban sends me more than 50 emails I still do:

## disable auth from attackers
<FilesMatch "(wp-login|xmlrpc)\.php$">
<Limit POST>
    Order Allow,Deny
    Allow from all
    # BT Italia S.p.A.
    Deny from 78.4.0.0/16
    Deny from 78.5.0.0/16
    Deny from 78.6.0.0/16
    Deny from 78.7.0.0/16
    Deny from 78.7.115.0/24
    # Fastweb S.p.A.
    Deny from 89.96.0.0/15
    Deny from 93.48.0.0/13
    Deny from 93.56.0.0/14
    Deny from 93.60.0.0/15
</Limit>
</FilesMatch>

szepeviktor · 2015-02-12T00:06:29Z

Do you have something on your mind?

leeclemens · 2015-02-12T03:42:58Z

@szepeviktor Given what I said and the two IPs you found that are so close, but allocated to different countries, do you still believe it is a good idea to block entire /24's based on one or some number of individual IP's being banned?

szepeviktor · 2015-02-12T08:10:18Z

No. It is bad idea.

szepeviktor · 2015-02-12T08:11:41Z

Could you help me reduce the number of emails? Maybe based on whois netname:?

leeclemens · 2015-02-12T17:11:35Z

I think the email quantity topic is covered in Issue #832 Can this one be closed?

szepeviktor · 2015-02-12T18:46:43Z

I am sorry. I can do only debugging in python. It would be nice to have less emails.

szepeviktor changed the title ~~Ban C Class networks~~ Ban C Class networks / C-Class-recidive Feb 11, 2015

szepeviktor closed this as completed Feb 12, 2015

kisst mentioned this issue Aug 10, 2015

Whole IP pool block #1154

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ban C Class networks / C-Class-recidive #953

Ban C Class networks / C-Class-recidive #953

Ban C Class networks / C-Class-recidive #953

Ban C Class networks / C-Class-recidive #953

Comments