我每天都在我的mail.log中获得数百行这样的代码:
Apr 28 11:10:28 servername amavis[30077]: (30077-08) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.16] <[email protected]> -> <[email protected]>, quarantine: F/spam-FaGlty0PIZMS.gz, Message-ID: <[email protected]>, mail_id: FaGlty0PIZMS, Hits: 7.544, size: 5136, 7444 ms Apr 28 11:44:53 servername amavis[30074]: (30074-10) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.25] <[email protected]> -> <[email protected]>, quarantine: H/spam-H4sMG6EC6q-I.gz, Message-ID: <[email protected]>, mail_id: H4sMG6EC6q-I, Hits: 12.405, size: 5209, 3816 ms Apr 28 11:45:53 servername amavis[30077]: (30077-10) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.30] <[email protected]> -> <[email protected]>, quarantine: q/spam-qNkRyAnBW5ul.gz, Message-ID: <[email protected]>, mail_id: qNkRyAnBW5ul, Hits: 12.405, size: 5217, 4456 ms Apr 28 12:05:22 servername amavis[30074]: (30074-12) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.11] <[email protected]> -> <[email protected]>, quarantine: z/spam-zaKH80IIImbj.gz, Message-ID: <[email protected]>, mail_id: zaKH80IIImbj, Hits: 11.155, size: 5163, 6837 ms Apr 28 12:06:41 servername amavis[30074]: (30074-13) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.40] <[email protected]> -> <[email protected]>, quarantine: j/spam-jgw8hoOtyeSf.gz, Message-ID: <[email protected]>, mail_id: jgw8hoOtyeSf, Hits: 9.546, size: 4749, 3844 ms Apr 28 12:07:50 servername amavis[30077]: (30077-13) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.95] <[email protected]> -> <[email protected]>, quarantine: w/spam-wYu7sNla0_BX.gz, Message-ID: <[email protected]>, mail_id: wYu7sNla0_BX, Hits: 8.87, size: 4729, 3889 ms Apr 28 12:58:32 servername amavis[30077]: (30077-16) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.46] <[email protected]> -> <[email protected]>, quarantine: 5/spam-52iE_rnYAkaF.gz, Message-ID: <[email protected]>, mail_id: 52iE_rnYAkaF, Hits: 19.628, size: 5032, 7830 ms Apr 28 13:39:12 servername amavis[30077]: (30077-20) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.62] <[email protected]> -> <[email protected]>, quarantine: 8/spam-8zKenB5I3mjS.gz, Message-ID: <[email protected]>, mail_id: 8zKenB5I3mjS, Hits: 11.211, size: 5106, 3928 ms Apr 28 14:22:34 servername amavis[14260]: (14260-04) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.64] <[email protected]> -> <[email protected]>, quarantine: S/spam-SLdyUkN0XFpi.gz, Message-ID: <[email protected]>, mail_id: SLdyUkN0XFpi, Hits: 12.405, size: 5146, 3869 ms Apr 28 14:58:44 servername amavis[14260]: (14260-06) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.47] <[email protected]> -> <[email protected]>, quarantine: M/spam-MEimd4Bg1bE3.gz, Message-ID: <[email protected]>, mail_id: MEimd4Bg1bE3, Hits: 11.231, size: 5064, 3838 ms Apr 28 15:16:17 servername amavis[15052]: (15052-08) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.91] <[email protected]> -> <[email protected]>, quarantine: M/spam-MVHz2AB6fJWo.gz, Message-ID: <[email protected]>, mail_id: MVHz2AB6fJWo, Hits: 10.805, size: 5071, 3764 ms Apr 28 15:16:38 servername amavis[14260]: (14260-09) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.95] <[email protected]> -> <[email protected]>, quarantine: P/spam-P_vgm1aE0UvA.gz, Message-ID: <[email protected]>, mail_id: P_vgm1aE0UvA, Hits: 9.555, si 6.694, size: 5656, 2536 ms Apr 28 15:57:55 servername amavis[14260]: (14260-15) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.104] <[email protected]> -> <[email protected]>, quarantine: 8/spam-8hnRkMDQmj4E.gz, Message-ID: <[email protected]>, mail_id: 8hnRkMDQmj4E, Hits: 9its: 7.772, size: 8343, 6229 ms Apr 28 16:36:12 servername amavis[14260]: (14260-20) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.64] <[email protected]> -> <[email protected]>, quarantine: J/spam-JAzp8lAdYrqB.gz, Message-ID: <[email protected]>, mail_id: JAzp8lAdYrqB, Hits: 18.228, size: 4938, 4849 ms 正如你所看到的,邮件来自不同的IP地址。 在这个例子中,从185.140.110.xxx和185.140.108.xxx(或者netmask-syntax中的185.140.110.0/24和185.140.108.0/24)。
Fail2ban在识别来自相同IP地址的日志行方面很好,但是在这里我们有所有不同的地址,但都来自一些小的范围。
有没有办法告诉fail2ban,而不是看相同的IP地址,但在范围?
我希望fail2ban能够在数小时内检测到3个IP地址在这个范围内的IP地址的情况下,将所有IP从185.140.110.0到185.140.110.255封锁。