It has been requested to have the ability in fail2ban
to block whole IP address ranges.
Yaroslav Halchenko replied, saying
we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like
Well, at the time of this writing the current version is Fail2Ban v0.8.6
– and it seems to not have CIDR capabilities out of the box. However, you can still have fail2ban
block an IP address by using a command like this:
fail2ban-client -vvv set apache banip 1.2.3.0/24
Your fail2ban log file ( maybe /var/log/fail2ban.log
) should have information about the rule you just added. Also, the -vvv
flag tells the command to be verbose.
For the rule to take effect, you may need to wait until one of the other files fail2ban is monitoring has a change. So check out your /etc/fail2ban/jail.local file, see what is enabled, and then run touch /path/to/file
on a logfile you are watching with fail2ban