You can accomplish this by creating iptables-multiport-24.conf file in the /etc/fail2ban/action.d/ directory.

nano /etc/fail2ban/action.d/iptables-multiport-24.conf

Then add the following below.

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Copied and modified from iptables-multiport.conf by Mike Moller for subnet banning
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip>/24 -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip>/24 -j <blocktype>

[Init]

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

Now modify the jail(s) that you want to have the subnet blocked ...

nano /etc/fail2ban/jail.local

Add the action = iptables-multiport-24 line to the jail...

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
action = iptables-multiport-24 [name=ssh, port="ssh", protocol=tcp]

#Another example how to implement subnet banning for postfix-sasl.
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.warn
maxretry = 3
action = iptables-multiport-24 [name=postfix-sasl, port="smtp", protocol=tcp]

Also check out #1161

@agentmoller001 The suggested iptables-multiport-24.conf works with fix subnet size, with no context awareness around the size of the AS, I went around it with custom action, but I think building out a capability like this could be in scoop for the fail2ban project.

What I did :
Created a simple service which does the AS lookup on all entry on the fail2ban log, and the log it an sqlite3 database, and after writing in query the new value, and if that new value is more then x then null-route the ISP. But this "solution" is completely out of the fail2ban service, as fail2ban could not handle it.

I came here to ask something like this, or to find out if it can be done. I manually go through the fail2ban emails and block the CIDR range for each IP that gets a lot of attacks over different IPs - but this is quite work intensive so I rarely do it.

What would be good if fail2ban was aware that say multiple different IPs from the same AS/range block in X days/weeks/months results in a complete range ban. Having it for a repeat attacking single IP would be sort of useful, but then just block that single IP and might do false positives - I am wary about blocking UK/US etc for that reason.

It is the crafty people who come back from the same block of Iran or Chinese IPs months later and blast my server that need to be entire range autoblocked. Indeed I know geoblocking is beyond f2b but that would be good, I do it easily for nginx but that does not cover other services, mail, etc.

Hi @sebres

Sorry newbie at fail2ban @ github.
I have same problem much blocked list as below..
114.119.131.33
114.119.131.43
114.119.131.139
114.119.131.232
...

My system is FreeBSD with PF
Therefore wish the feature(duplicate #927?) add into FreeBSD with PF if possible.
Thank very much.

PS: Length of IPv4 and IPv6 netmask different.
In ./action.d/iptables-common.conf , both separate by Init?family=, therefore configure different easily.
But ./action.d/pf.conf have not, can be separate same iptable?

@agentmoller001 for fixed subnet, do you have equivalent settings for firewalld and nftables?

I second that this should be a feature. I currently have about 700 IPs from a single /20 AS in my block list. That's quite a few /24's.

I just updated /etc/fail2ban/action.d/iptables.conf to have actionBan and actionUnBan just always use /24 instead of

@edwardsd97 -- could you share what tweak you made, specifically? For example, for actionban, what in

 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

did you change? Did you simply add /24 after ? In other words..

  actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>

Thanks in advance. Rather ask a 'silly question' than blow up iptables.

when looking for official/registered IP blocks to ban, I personally think it's probably best to use a remote source of truth since blocks are purchased and assigned by an authority.

Assuming their information is up to date,
both whois -h whois.arin.net -- "n <ipaddr>" | grep -i cidr | awk '{print $NF}'
and whois -h whois.cymru.com -- "-p -o -f <ipaddr>" | cut -d' ' -f

will give you varying levels of officially registered IP blocks, however, I am not familiar with how to enter these values into the field in actionban.

Also, I am utilizing the default action on Fedora, which is firewalld, and utilizing nftables on debian, so is a little dated and less useful to me. From what I'm reading, it seems like most people are still stuck on iptables :)

Perfect - thanks. I had convinced myself that was correct, after trying some experiments with AlmaLinux in a VM, but confirmation from your end helps. As seems to be the case at your end, my main machine(s) are only intended for a couple of users, so I'm quite comfortable blocking way more than fail2ban defaults to.

Thanks again.