I don't use zsh, but your script runs on in bash.
I have a number of comments.
- If the system is invoking the script, does it inherit the PATH
variable? With a bash shebang you can do "#!/bin/bash -l" and root's
PATH will be honoured if running with root. Certainly this can be a
problem with cron jobs.
- Why do you not prefer CIDR over converting Netrange to CIDR?
- Instead of grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3} -
([0-9]{1,3}[\.]){3}[0-9]{1,3}', I prefer awk '{print $2 $3 $4}'
- something similar for grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}/[0-9]{2}'
- In your if statement, for your CIDR line you can directly do `iptables
-w -I INPUT -s $(grep CIDR /root/njh/ban_range_data | awk '{print $2}')
-m comment --comment "Ban $1" -j DROP`. Check which is the correct chain
for you, remembering that f2b does not create the chain until it needs it.
- You can do something similar for your NetRange.
- Note I've added a comment to the iptables rule with the original IP
that was being detected. This can aid an unban action by doing something
like iptables -nvL INPUT --line-numbers | grep "Ban $1" | awk '{print
$1}' and, if the line exists in iptables, delete it by line number
- Really, you have no need to use an intermediate file, ban_range_data,
I'd have thought. Just shove the results into a variable.
- Would it be safer to grep for ^CIDR and not just CIDR
On 04/02/2026 16:43, Wael Karram via Fail2ban-users wrote:
Indeed I am using iptables, but I couldn't get that to work, again
something funky going on with text substitution
This is partly why I put the question on the mailing list, because
after two hours of trying to figure it out and looking it up online I
kind of gave up.
On 2/4/26 6:14 PM, Nick Howitt via Fail2ban-users wrote:
Assuming you are using iptables, why not do iptables commands directly
at the end of your script? The same similarly goes for other firewalls
such as UFW (which uses iptables in the background).
On 04/02/2026 10:55, Wael Karram via Fail2ban-users wrote:
That I have gotten to work quite reliably well.
Where I'm having problems is actually automating the ban action.
I tried for example this line:
/etc/fail2ban/scripts/generate_ban_range_from_ip.sh <ip> | ifne xargs
-I {} -n1 fail2ban-client set <name> banip {}
But then I get an error with the substitution in the xargs command
not happening.
To overcome that I tried to package everything into a script as
follows: #!/bin/zsh
/etc/fail2ban/scripts/generate_ban_range_from_ip.sh $1 | xargs -n1
sudo fail2ban-client -v set $2 banip And while running that command
manually on an interactive shell works, it fails in the context of a
script.
It seems that something is wrong with the parameter passing - the
fail2ban-client command simply gets stuck waiting for input, I even
tried hard-coding the jail name and that clearly isn't what is
causing the issue (still gets stuck the same).
Weirdly, if I keep the same structure and replace the fail2ban-client
sub-command with echo, I do get the value passed through the pipe.
Kind Regards,
Wael Karram.
On 2/3/26 6:02 PM, Nick Howitt via Fail2ban-users wrote:
Note that different registries return different fields. Try "whois
82.5.79.245" where the address range is in a field called "inetnum".
You could try an ASN lookup then look up all the ranges associated
with the ASN, but you'g end up with huge blocks.
From your script, you'd then have to generate the relevant iptables
commands for the ban and unban actions.
Nick
On 03/02/2026 11:55, Wael Karram via Fail2ban-users wrote:
Hello,
I've noticed lately that my server is being loaded by many automated
scanners and scrapers, I've got some nginx and opensmtpd filters in
place which can reliably catch them, though I've also noticed that
there are entire ASNs usually associated with them.
Currently, I am banning them manually more or less - once a day I
check the logs, look for any suspect lines and then lookup the
CIDRs and ban manually.
I would like to automate this, though I'm somewhat stuck with how
to implement the action (the filter is actually the easy part).
All I've managed to come up with for now is this script:
http://0x0.st/Pb4E.sh
It takes an IP address and spits out the CIDRs of its ASN/the
entire range associated with it - line by line.
I hope someone can help me on how to integrate this into a custom
ban action.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
