On 7/15/22 01:21, Stephen J. Turnbull wrote:
We're getting hit with this BS all the time too. This is what happens when we can no longer spank our children.
I don't think it's all script kiddies, though. I actually look at this stuff rather than automating with fail2ban.
I used to look at them, for over a year, until I got fed up with it. It was taking way too much time away from the work I was supposed to be doing. I figured that I probably wouldn't be able to find the delinquent little twats that were doing it and break their fingers, so I finally bit the bullet and dealt with fail2ban's awful configuration system. Now I just check it every week or two and see the number of blocked IP addresses steadily growing, and smile.
Among other things there are attackers who have access to /16s and I'm not interested in whack-a-mole *sigh*. I also follow some of the usual suspects on Twitter (eg, @briankrebs) and I've seen at least two brand-new CVEs show up on my site in the same week.
Right now I see over a hundred individual IP addresses in 114.119.137/24 in my list, yes.
For fail2ban, here's my jail.local entry:
Thanks! I'm sure this will be helpful to several users.
I hope so. If I can spare anyone else the pain of spending two solid hours with fail2ban's configuration-system-of-questionable-judgment, I'll count that as a win.
I don't know if this is optimal, but it works, and it's catching these little idiots left and right, a few dozen per day. My platform is Solaris (SmartOS).
My site is small, but I only see 0-10 (weighted to the low end) a day. You might want to sort the blocklist and ban a few netblocks if you haven't done that already. In one case (sorry, I forget the domain) I ended up searching out a domain's netblocks and banning all 3 of them.
Thanks, that's a good idea. Maybe I'll write a little script to do it.
-Dave-- Dave McGuire, AK4HZ New Kensington, PA