fail2ban custom action to permanent ban IPs from China

Posted by John Magnolia on Server Fault See other posts from Server Fault or by John Magnolia
Published on 2012-12-08T17:40:40Z Indexed on 2012/12/08 23:08 UTC
Read the original article Hit count: 411

Filed under:

When a IP address gets banned how can I check if the banned IP address is from China. If yes, then add it to the permanent ban list.

I have found this nice guide which write the banned IP to file.

Reason: I am getting a lot of brute force attacks from China daily, thankfully fail2ban is helping restrict this although they appear to be getting worse and they are just changing their IP Address.

Or even better would be if there was a maintained database of known hacker IP addresses.

Example 1

Hi,

The IP 60.169.78.77 has just been banned by Fail2Ban after
4 attempts against vsftpd.


Here are more information about 60.169.78.77:

% [whois.apnic.net node-7]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        60.166.0.0 - 60.175.255.255
netname:        CHINANET-AH
descr:          CHINANET anhui province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         JW89-AP
mnt-by:         APNIC-HM
mnt-routes:     MAINT-CHINANET-AH
mnt-lower:      MAINT-CHINANET-AH
status:         ALLOCATED PORTABLE
changed:        [email protected] 20040721
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         [email protected]
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        [email protected] 20070416
mnt-by:         MAINT-CHINANET
source:         APNIC

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         [email protected]
nic-hdl:        JW89-AP
mnt-by:         MAINT-NEW
changed:        [email protected] 19990818
source:         APNIC

Regards,

Fail2Ban

Example 2

Hi,

The IP 60.169.78.81 has just been banned by Fail2Ban after
4 attempts against vsftpd.


Here are more information about 60.169.78.81:

% [whois.apnic.net node-6]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        60.166.0.0 - 60.175.255.255
netname:        CHINANET-AH
descr:          CHINANET anhui province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         JW89-AP
mnt-by:         APNIC-HM
mnt-routes:     MAINT-CHINANET-AH
mnt-lower:      MAINT-CHINANET-AH
status:         ALLOCATED PORTABLE
changed:        [email protected] 20040721
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         [email protected]
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        [email protected] 20070416
mnt-by:         MAINT-CHINANET
source:         APNIC

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         [email protected]
nic-hdl:        JW89-AP
mnt-by:         MAINT-NEW
changed:        [email protected] 19990818
source:         APNIC

Regards,

Fail2Ban

Example 3

Hi,

The IP 222.133.244.99 has just been banned by Fail2Ban after
4 attempts against vsftpd.


Here are more information about 222.133.244.99:

% [whois.apnic.net node-6]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        222.133.244.96 - 222.133.244.127
netname:        LCZFFHQ
country:        CN
descr:          liaochenggovermentfanghuoqiang
admin-c:        DS95-AP
tech-c:         DS95-AP
status:         ASSIGNED NON-PORTABLE
changed:        [email protected] 20060122
mnt-by:         MAINT-CNCGROUP-SD
source:         APNIC

route:          222.132.0.0/14
descr:          CNC Group CHINA169 Shandong Province Network
country:        CN
origin:         AS4837
mnt-by:         MAINT-CNCGROUP-RR
changed:        [email protected] 20060118
source:         APNIC

person:         Data Communication Bureau Shandong
nic-hdl:        DS95-AP
e-mail:         [email protected]
address:        No.77 Jingsan Road,Jinan,Shandong,P.R.China
phone:          +86-531-6052611
fax-no:         +86-531-6052414
country:        CN
changed:        [email protected] 20050330
mnt-by:         MAINT-CNCGROUP-SD
source:         APNIC

Regards,

Fail2Ban

© Server Fault or respective owner

Related posts about fail2ban