It has been requested to have the ability in
fail2ban to block whole IP address ranges.
Yaroslav Halchenko replied, saying
we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like
Well, at the time of this writing the current version is
Fail2Ban v0.8.6 – and it seems to not have CIDR capabilities out of the box. However, you can still have
fail2ban block an IP address by using a command like this:
fail2ban-client -vvv set apache banip 220.127.116.11/24
Your fail2ban log file ( maybe
/var/log/fail2ban.log ) should have information about the rule you just added. Also, the
-vvv flag tells the command to be verbose.
For the rule to take effect, you may need to wait until one of the other files fail2ban is monitoring has a change. So check out your /etc/fail2ban/jail.local file, see what is enabled, and then run
touch /path/to/file on a logfile you are watching with fail2ban