It [has been requested](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724274) to have the ability in `fail2ban` to block whole IP address ranges.
Yaroslav Halchenko replied, saying
> we are working on the features which would occur in some 0.9.x release which would make it configurable out-of-the-box, but meanwhile you can just easily create an augmented action file where you would have customized iptables call with /XX to ban whatever big subnet you like
Well, at the time of this writing the current version is `Fail2Ban v0.8.6` – and it seems to not have CIDR capabilities out of the box. However, you can still have `fail2ban` block an IP address by using a command like this:
fail2ban-client -vvv set apache banip 1.2.3.0/24
Your fail2ban log file ( maybe `/var/log/fail2ban.log` ) should have information about the rule you just added. Also, the `-vvv` flag tells the command to be verbose.
For the rule to take effect, you may need to wait until one of the other files fail2ban is monitoring has a change. So check out your /etc/fail2ban/jail.local file, see what is enabled, and then run `touch /path/to/file` on a logfile you are watching with fail2ban