Hello, Thanks a lot for the pointers, here's a link to the updated script with even more detection options: /etc/fail2ban/scripts/ban_range_from_ip.sh - http://0x0.st/Pc8G.sh /etc/fail2ban/scripts/generate_ban_range_from_ip.sh - http://0x0.st/Pc8D.sh
See, about the CIDR info: I noticed that usually whois indeed gives CIDR and NetRange, but not always. And even sometimes only inetnum, so now I have it detect that. And even then sometimes all three fail, and this is why I'm using ifne on the pipe. About the invocation, it is merely being used as a ban action or called manually by me - basically automating work I did by hand where I'd look for matches, take the addresses punch them into whois and then copy the CIDR/calculate it from there and ban manually. In any case, I still cannot get it to work as a ban action - for now I just modified a copy of the default iptables actions to tack a /24 CIDR by default and I'm only using that in jails where I'm quite sure of the patterns matching abusive IP ranges, but a more flexible solution like what I tried to achieve with the script would be nice to have. I really appreciate the help as I'm quickly realizing this is a pretty non-standard feature that I'm trying to get here. Kind Regards, Wael Karram. On Wed, 4 Feb 2026 18:17:06 +0000 Nick Howitt via Fail2ban-users <[email protected]> wrote: > I don't use zsh, but your script runs on in bash. > > I have a number of comments. > - If the system is invoking the script, does it inherit the PATH > variable? With a bash shebang you can do "#!/bin/bash -l" and root's > PATH will be honoured if running with root. Certainly this can be a > problem with cron jobs. > - Why do you not prefer CIDR over converting Netrange to CIDR? > - Instead of grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3} - > ([0-9]{1,3}[\.]){3}[0-9]{1,3}', I prefer awk '{print $2 $3 $4}' > - something similar for grep -o -E > '([0-9]{1,3}[\.]){3}[0-9]{1,3}/[0-9]{2}' > - In your if statement, for your CIDR line you can directly do > `iptables -w -I INPUT -s $(grep CIDR /root/njh/ban_range_data | awk > '{print $2}') -m comment --comment "Ban $1" -j DROP`. Check which is > the correct chain for you, remembering that f2b does not create the > chain until it needs it. > - You can do something similar for your NetRange. > - Note I've added a comment to the iptables rule with the original IP > that was being detected. This can aid an unban action by doing > something like iptables -nvL INPUT --line-numbers | grep "Ban $1" | > awk '{print $1}' and, if the line exists in iptables, delete it by > line number > - Really, you have no need to use an intermediate file, > ban_range_data, I'd have thought. Just shove the results into a > variable. > - Would it be safer to grep for ^CIDR and not just CIDR > > On 04/02/2026 16:43, Wael Karram via Fail2ban-users wrote: > > Indeed I am using iptables, but I couldn't get that to work, again > > something funky going on with text substitution > > > > This is partly why I put the question on the mailing list, because > > after two hours of trying to figure it out and looking it up online > > I kind of gave up. > > > > > > > > On 2/4/26 6:14 PM, Nick Howitt via Fail2ban-users wrote: > > Assuming you are using iptables, why not do iptables commands > > directly at the end of your script? The same similarly goes for > > other firewalls such as UFW (which uses iptables in the > > background). > >> On 04/02/2026 10:55, Wael Karram via Fail2ban-users wrote: > >> That I have gotten to work quite reliably well. > >>> Where I'm having problems is actually automating the ban action. > >>> > >>> I tried for example this line: > >>> /etc/fail2ban/scripts/generate_ban_range_from_ip.sh <ip> | ifne > >>> xargs -I {} -n1 fail2ban-client set <name> banip {} > >>> > >>> But then I get an error with the substitution in the xargs command > >>> not happening. > >>> > >>> > >>> To overcome that I tried to package everything into a script as > >>> follows: #!/bin/zsh > >>> /etc/fail2ban/scripts/generate_ban_range_from_ip.sh $1 | xargs -n1 > >>> sudo fail2ban-client -v set $2 banip And while running that > >>> command manually on an interactive shell works, it fails in the > >>> context of a script. > >>> > >>> It seems that something is wrong with the parameter passing - the > >>> fail2ban-client command simply gets stuck waiting for input, I > >>> even tried hard-coding the jail name and that clearly isn't what > >>> is causing the issue (still gets stuck the same). > >>> > >>> Weirdly, if I keep the same structure and replace the > >>> fail2ban-client sub-command with echo, I do get the value passed > >>> through the pipe. > >>> > >>> > >>> Kind Regards, > >>> > >>> Wael Karram. > >>> > >>> > >>> On 2/3/26 6:02 PM, Nick Howitt via Fail2ban-users wrote: > >>> Note that different registries return different fields. Try "whois > >>> 82.5.79.245" where the address range is in a field called > >>> "inetnum". You could try an ASN lookup then look up all the > >>> ranges associated > >>>> with the ASN, but you'g end up with huge blocks. > >>>> > >>>> From your script, you'd then have to generate the relevant > >>>> iptables commands for the ban and unban actions. > >>>> > >>>> Nick > >>>> > >>>> On 03/02/2026 11:55, Wael Karram via Fail2ban-users wrote: > >>>> Hello, > >>>> I've noticed lately that my server is being loaded by many > >>>> automated > >>>>> scanners and scrapers, I've got some nginx and opensmtpd > >>>>> filters in place which can reliably catch them, though I've > >>>>> also noticed that there are entire ASNs usually associated with > >>>>> them. > >>>>> > >>>>> Currently, I am banning them manually more or less - once a day > >>>>> I check the logs, look for any suspect lines and then lookup the > >>>>> CIDRs and ban manually. > >>>>> > >>>>> I would like to automate this, though I'm somewhat stuck with > >>>>> how to implement the action (the filter is actually the easy > >>>>> part). All I've managed to come up with for now is this script: > >>>>> http://0x0.st/Pb4E.sh > >>>>> It takes an IP address and spits out the CIDRs of its ASN/the > >>>>> entire range associated with it - line by line. > >>>>> > >>>>> I hope someone can help me on how to integrate this into a > >>>>> custom ban action. > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Fail2ban-users mailing list > >>>>> [email protected] > >>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>>>> > >>>>> _______________________________________________ > >>>> Fail2ban-users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Fail2ban-users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>>> > >> > >> _______________________________________________ > >> Fail2ban-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> > >> > >> _______________________________________________ > >> Fail2ban-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Kind Regards, Wael Karram.
pgpa9ozalmzF_.pgp
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
