automatically detecting and blocking an ip address range
 

HI
Fail2ban is showing eg
Thu Mar 14 16:55:18 EST 2013: 218.86.50.190 (3 failures)
Thu Mar 14 16:58:57 EST 2013: 204.12.228.50 (4 failures)
Thu Mar 14 17:00:27 EST 2013: 59.58.137.28 (3 failures)
Thu Mar 14 17:06:47 EST 2013: 218.86.50.106 (3 failures)
Thu Mar 14 17:15:41 EST 2013: 218.86.50.68 (3 failures)

So looking at the 218.86.50.x example, which reports as coming from China*, I really see no point in blocking just the one ip address as the hacker comes back with a different - I think the terminology is - 'host address' eg .106 instead of .190, well before the fail2ban 'bantime' expires

Is there anyway of automatically detecting and blocking an ip host-address range with fail2ban or some other way?

*I know you can't really presume thats where the problem is based
Thanks
Compused

You can select an entire subnet: -s 218.86.50.0/24 in iptables
You can also use the iprange extension:
iptables -A INPUT -m iprange --src-range 74.125.229.164-74.125.229.174

For ssh logins, the /var/log/auth or /var/log/messages log are parsed. The log won't indicate a range. I think the best thing to do is to add iptable rules dropping blocks of IPs. Especially for ssh and email ports. Dropping blocks assigned to china at the firewall is common for domestic company email servers. You might want to check the ican registry to find how large a range of IPs you can block

Assigning a high order port for ssh will greatly reduce the number of bot and script kiddie brute force attempts.

Blocking entire systems, especially in IPV4 space can be difficult because the IPV4 address space is allocated like a block of Swiss cheese. As jschiwal suggested you can try to block the whole IP range and sometimes a whois report will give you the range in question. For example, the IP you mentioned is in the allocated range 218.85.0.0 - 218.86.127.255. Unfortunately, this isn't the whole story as the provider has a lot more blocks to pick from. The next step is to get the AS, or autonomous system, number and from this you can get the list of IP addresses. This site can do that for you: http://asn.cymru.com/ Using your example, we can see that the IP is in AS4134. Now the next step is to find the IP addresses allocated to this system. An older post by unSpawn has a script to do this, and the website is still up, though the script may need to be tweaked a little bit. The script takes the page and hacks out the IP addresses and makes an IPTables filter from it. Here is a link to the info for that AS. From, this we can see that there are an absolute boat load of IP addresses in this network. However, here is an interesting tidbit. That particular IP range has this notation:
Which says that the original allocation 218.86.0.0 has been replaced with 218.86.128.0/17. If we look up the list a little higher we see this:
Which is a bigger aggregate block for this IP range of 218.84.0.0/14. Doing a CIDR mask mapping on this range shows that it runs from 218.84.0.0 to 218.87.255.255 which gives us less rules to put into IPTables. Of course there are a lot more for even this ISP.

wow...being comprehensive creates complexity!

how about using ipset...as an IT non-professional, this is the simplest reference I can find:
http://www.linuxjournal.com/content/...urations-ipset

I did want to automate it
Compfused

Thanks compused. I had ipset in the back of my mind but didn't find it. The best tool probably depends on whether the OP can block a very large range, or needs to block scattered IP addresses in the range.