0

Please note, I'm looking more for established documented best-practice rather than personal opinion in this question. I'm also not interested in Fail2Ban specifically but the class of technologies that Fail2Ban is a member of.

Fail2Ban et al track misbehavior by IP addresses, such as repeatedly attempting to log-in with passwords from a dictionary until one succeeds. Once a single IP has hit a limit, all attempts from that IP are rejected, even if they guess the correct password in that time.

What should happen to the IP neighbors of that banned IP address? Someone attacking my servers might be trivially able to move to a neighboring IP by resetting their ISP router every so often. Do attackers actually do this is the real world?

If I've caught a.b.c.d failing to log-in too many times, should I also ban all of a.b.c.0/24? How many bits is a reasonable boundary?

What about IPv6? I know that /64 is the rough equivalent of a single IPv4, but where is the equivalent block size for an IPv6 neighborhood?

Is there an established best practice document I can refer to that answers these questions?

billpg
  • 101
  • 2
  • It is unlikely that they would block the neighbourhood. Yes, attackers can swap to a new IP from their ISP, but just as easy to use a VPN/Proxy/botnet and get a different block. – schroeder Nov 11 '20 at 18:12
  • An attacker isn't going to bother resetting their equipment for a new address. They could use a botnet, cloud servers, or Tor to use a new address for every connection, if they really want to. You're not going to detect or stop that with fail2ban. – multithr3at3d Nov 11 '20 at 18:24
  • 1
    You may want to consider blocking attempts from IP addresses that are on abuse IP lists (like https://www.abuseipdb.com/), to mitigate the tactics described by schroeder and multithre3at3d above. – mti2935 Nov 11 '20 at 18:50
  • Thanks for the comments. I'd be happy to accept words to the effect of "There is no documented best practice because no-one does this." as an answer if you want the points. – billpg Nov 11 '20 at 19:25
  • Also think from the opposite perspective. Say you would ban an entire /24 every time an IP address hits the limit. Fail2Ban doesn't just prevent further login attempts, but all traffic at firewall level. This would be a nice feature for denial of service attacks. – Esa Jokinen Nov 12 '20 at 05:44

0 Answers0