Dave McGuire writes:
We're getting hit with this BS all the time too. This is what happens when we can no longer spank our children.
I don't think it's all script kiddies, though. I actually look at this stuff rather than automating with fail2ban. Among other things there are attackers who have access to /16s and I'm not interested in whack-a-mole *sigh*. I also follow some of the usual suspects on Twitter (eg, @briankrebs) and I've seen at least two brand-new CVEs show up on my site in the same week.
For fail2ban, here's my jail.local entry:
Thanks! I'm sure this will be helpful to several users.
I don't know if this is optimal, but it works, and it's catching these little idiots left and right, a few dozen per day. My platform is Solaris (SmartOS).
My site is small, but I only see 0-10 (weighted to the low end) a day. You might want to sort the blocklist and ban a few netblocks if you haven't done that already. In one case (sorry, I forget the domain) I ended up searching out a domain's netblocks and banning all 3 of them.
Steve