It was a topic here before but with a wrong approach ( IMHO ) #953

The idea is simple, if an ISP continuously scanning / doing nasty stuff then the full ISP pool should get blocked, and most likely permanently, right now I do that manually, and parsing the fail2ban log to returning AS numbers, and above a limit I drop them on the permanent block firewall set.

In this way the 134176, 23650,4134 made it to the list on the first week, but it would be nice to automate it.

I use the cymru whois service now for lookup if you know any better feel free to share.

whois -h v4.whois.cymru.com " -c -p 218.87.111.110"
AS      | IP               | BGP Prefix          | CC | AS Name
4134    | 218.87.111.110   | 218.87.0.0/16       | CN | CHINANET-BACKBONE No.31,Jin-rong Street,CN

When there is more then x ( in my case 3 ) block from the same AS then the action to put the BGP Prefix to the list.

Now this function need few things like AS lookup function with up to date database, but it does not looks impossible for me, but also this would mean that one threat of the fail2ban would monitor it's own log which could be funny.

Maybe it's easier to push it into database ( sqlite3 or something simple, or even shared p2p ), anyway let me know guys, what you think, let's open the conversation about this again.