CentOS - Jan 2020 - Blocking attacks from a range of IP addresses

I am being attacked by an entire subnet where the first two parts of the IP
address remain identical but the last two parts vary sufficiently that it is not
caught by fail2ban since the attempts do not meet the cut-off of a certain
number of attempts within the given time.

Has anyone created a fail2ban filter for this type of attack? As of right now, I
have manually banned a range of IP addresses but would like to automate it for
the future.

On Wed, Jan 8, 2020 at 5:37 PM H <agents at meddatainc.com> wrote:
> I am being attacked by an entire subnet where the first two parts of the
> IP address remain identical but the last two parts vary sufficiently that
> it is not caught by fail2ban since the attempts do not meet the cut-off of
> a certain number of attempts within the given time.
>
> Has anyone created a fail2ban filter for this type of attack? As of right
> now, I have manually banned a range of IP addresses but would like to
> automate it for the future.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
Tough one.

Not the solution you?re looking for, but until you have a solution, block
the whole range in iptables.

I have experience block DDoS atacks. Contac White me in prived. If you have
intereses.

El mi?., 8 ene. 2020 8:45 p. m., Keith Christian <keith1christian at
gmail.com>
escribi?:
> On Wed, Jan 8, 2020 at 5:37 PM H <agents at meddatainc.com> wrote:
>
> > I am being attacked by an entire subnet where the first two parts of
the
> > IP address remain identical but the last two parts vary sufficiently
that
> > it is not caught by fail2ban since the attempts do not meet the
cut-off
> of
> > a certain number of attempts within the given time.
> >
> > Has anyone created a fail2ban filter for this type of attack? As of
right
> > now, I have manually banned a range of IP addresses but would like to
> > automate it for the future.
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
> Tough one.
>
> Not the solution you?re looking for, but until you have a solution, block
> the whole range in iptables.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On Thu, Jan 9, 2020 at 6:07 AM H <agents at meddatainc.com> wrote:
> I am being attacked by an entire subnet where the first two parts of the
> IP address remain identical but the last two parts vary sufficiently that
> it is not caught by fail2ban since the attempts do not meet the cut-off of
> a certain number of attempts within the given time.
>
> Has anyone created a fail2ban filter for this type of attack? As of right
> now, I have manually banned a range of IP addresses but would like to
> automate it for the future.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Hi,

I am not an expert but,
you can try creating an ipset with the the range you need and do a drop in
iptables or firewalld.
We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS
7.
fail2ban also uses ipsets in CentOS 7.

thanks
--
Lee

Hi,

You can drop it before FW with blackhole route.

DH

?t 9. 1. 2020 v 7:21 odes?latel Thomas Stephen Lee <lee.iitb at gmail.com>
napsal:
> On Thu, Jan 9, 2020 at 6:07 AM H <agents at meddatainc.com> wrote:
>
> > I am being attacked by an entire subnet where the first two parts of
the
> > IP address remain identical but the last two parts vary sufficiently
that
> > it is not caught by fail2ban since the attempts do not meet the
cut-off
> of
> > a certain number of attempts within the given time.
> >
> > Has anyone created a fail2ban filter for this type of attack? As of
right
> > now, I have manually banned a range of IP addresses but would like to
> > automate it for the future.
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
> Hi,
>
> I am not an expert but,
> you can try creating an ipset with the the range you need and do a drop in
> iptables or firewalld.
> We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS
> 7.
> fail2ban also uses ipsets in CentOS 7.
>
> thanks
> --
> Lee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

> Has anyone created a fail2ban filter for this type of attack? As of
> right now, I have manually banned a range of IP addresses but would
> like to automate it for the future.
> 
As far as I can see fail2ban only deals with hosts and not networks - I
suspect the issue is what is a "network": It may be obvious to you
looking at the logs that these are all related, but you run the risk
that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and
1.2.0.124 may be interpreted as a concerted attack and you banning half
the internet - but that may not be a bad thing :-)

What I've done in times of trouble is to be a bit more aggressive in
why and how hosts are banned. It depends on how you are being attacked,
but setting the threshold to 1 or 2 failures resulting in a ban and
then setting the ban time to something fairly short. Repeat offenders
will then quickly be picked up by the recidive filter and permanently
banned.

A downside to this is that your firewall filters get very large and
things will inevitably slow down, but it will at least give you the
chance to manually block a whole range but still give you a level of
automated protection.

P.

On 1/9/20 2:08 AM, Pete Biggs wrote:
>> Has anyone created a fail2ban filter for this type of attack? As of
>> right now, I have manually banned a range of IP addresses but would
>> like to automate it for the future.
>>
> As far as I can see fail2ban only deals with hosts and not networks - I
> suspect the issue is what is a "network": It may be obvious to
you
> looking at the logs that these are all related, but you run the risk
> that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and
> 1.2.0.124 may be interpreted as a concerted attack and you banning half
> the internet - but that may not be a bad thing :-)
>
> What I've done in times of trouble is to be a bit more aggressive in
> why and how hosts are banned. It depends on how you are being attacked,
> but setting the threshold to 1 or 2 failures resulting in a ban and
> then setting the ban time to something fairly short. Repeat offenders
> will then quickly be picked up by the recidive filter and permanently
> banned.
>
> A downside to this is that your firewall filters get very large and
> things will inevitably slow down, but it will at least give you the
> chance to manually block a whole range but still give you a level of
> automated protection.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
Since you can configure fail2ban to invoke scripts, I would think it
would be possible to get it to block CIDRs (variable size subnets, i.e.
12.12.0.0/20).? That said, I don't have a quick and easy implementation
on hand.

One thing that has proven useful to me in dealing with these kind of
attacks is to lookup the route for the specified IP address in the
Internet routing tables and then block the entire CIDR block.? You can
also determine which autonomous system (AS number) the attack is coming
from and block other routes owned by that provider.? Other options
include determining the GEOIP location, i.e. country of origin of the
attacks and block by country.

"whois 12.12.12.12" will also provide useful information about the
CIDR
block that you are dealing with.

To look up routes on the Internet, connect to one of the route views
servers, such as this:

$ telnet route-server.ip.att.net

Follow login instructions provided in login banner, then give the command:

show route 12.12.12.12

and it will show you that this IP is part of the larger cidr block
12.12.0.0/20.? So block 12.12.0.0/20 instead of just one IP (assuming
your attacks are coming from a particular block.

You'll have to consider weather the cidr block that you are considering
blocking will impact your users or not.

The att route-server is a juniper.? Some route servers are Cisco's and
there you would use commands like:

show ip route 12.12.12.12

or

show ip bgp 12.12.12.12


An example of a cisco based route server would be to:

telnet route-views.routeviews.org

http://routeviews.org/ lists a bunch of route views servers down near
the bottom, which appear to be accessable by telnet.? Note, quagga based
route servers are open source immitations of the Cisco command interface
and have similar commands to the cisco's.

Nataraj

On Thu, Jan 09, 2020 at 11:49:59AM +0530, Thomas Stephen Lee
wrote:
> On Thu, Jan 9, 2020 at 6:07 AM H <agents at meddatainc.com> wrote:
> 
> > I am being attacked by an entire subnet where the first two parts of
the
> > IP address remain identical but the last two parts vary sufficiently
that
> > it is not caught by fail2ban since the attempts do not meet the
cut-off of
> > a certain number of attempts within the given time.
> >
> > Has anyone created a fail2ban filter for this type of attack? As of
right
> > now, I have manually banned a range of IP addresses but would like to
> > automate it for the future.
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> 
> 
> Hi,
> 
> I am not an expert but,
> you can try creating an ipset with the the range you need and do a drop in
> iptables or firewalld.
> We have used ipsets with bare iptables in CentOS 6, and firewalld in CentOS
> 7.
> fail2ban also uses ipsets in CentOS 7.
> 
Ditto, both in C6 and C7.

jl
-- 
Jon H. LaBadie                 jon at jgcomp.com
 11226 South Shore Rd.          (703) 787-0688 (H)
 Reston, VA  20190              (703) 935-6720 (C)