Каждый день в моем mail.log появляются сотни таких строк:
Apr 28 11:10:28 servername amavis[30077]: (30077-08) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.16] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: F/spam-FaGlty0PIZMS.gz, Message-ID: <foobar@bla.com>, mail_id: FaGlty0PIZMS, Hits: 7.544, size: 5136, 7444 ms
Apr 28 11:44:53 servername amavis[30074]: (30074-10) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.25] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: H/spam-H4sMG6EC6q-I.gz, Message-ID: <foobar@bla.com>, mail_id: H4sMG6EC6q-I, Hits: 12.405, size: 5209, 3816 ms
Apr 28 11:45:53 servername amavis[30077]: (30077-10) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.30] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: q/spam-qNkRyAnBW5ul.gz, Message-ID: <foobar@bla.com>, mail_id: qNkRyAnBW5ul, Hits: 12.405, size: 5217, 4456 ms
Apr 28 12:05:22 servername amavis[30074]: (30074-12) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.11] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: z/spam-zaKH80IIImbj.gz, Message-ID: <foobar@bla.com>, mail_id: zaKH80IIImbj, Hits: 11.155, size: 5163, 6837 ms
Apr 28 12:06:41 servername amavis[30074]: (30074-13) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.40] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: j/spam-jgw8hoOtyeSf.gz, Message-ID: <foobar@bla.com>, mail_id: jgw8hoOtyeSf, Hits: 9.546, size: 4749, 3844 ms
Apr 28 12:07:50 servername amavis[30077]: (30077-13) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.95] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: w/spam-wYu7sNla0_BX.gz, Message-ID: <foobar@bla.com>, mail_id: wYu7sNla0_BX, Hits: 8.87, size: 4729, 3889 ms
Apr 28 12:58:32 servername amavis[30077]: (30077-16) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.46] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: 5/spam-52iE_rnYAkaF.gz, Message-ID: <foobar@bla.com>, mail_id: 52iE_rnYAkaF, Hits: 19.628, size: 5032, 7830 ms
Apr 28 13:39:12 servername amavis[30077]: (30077-20) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.62] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: 8/spam-8zKenB5I3mjS.gz, Message-ID: <foobar@bla.com>, mail_id: 8zKenB5I3mjS, Hits: 11.211, size: 5106, 3928 ms
Apr 28 14:22:34 servername amavis[14260]: (14260-04) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.64] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: S/spam-SLdyUkN0XFpi.gz, Message-ID: <foobar@bla.com>, mail_id: SLdyUkN0XFpi, Hits: 12.405, size: 5146, 3869 ms
Apr 28 14:58:44 servername amavis[14260]: (14260-06) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.47] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: M/spam-MEimd4Bg1bE3.gz, Message-ID: <foobar@bla.com>, mail_id: MEimd4Bg1bE3, Hits: 11.231, size: 5064, 3838 ms
Apr 28 15:16:17 servername amavis[15052]: (15052-08) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.91] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: M/spam-MVHz2AB6fJWo.gz, Message-ID: <foobar@bla.com>, mail_id: MVHz2AB6fJWo, Hits: 10.805, size: 5071, 3764 ms
Apr 28 15:16:38 servername amavis[14260]: (14260-09) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.95] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: P/spam-P_vgm1aE0UvA.gz, Message-ID: <foobar@bla.com>, mail_id: P_vgm1aE0UvA, Hits: 9.555, si 6.694, size: 5656, 2536 ms
Apr 28 15:57:55 servername amavis[14260]: (14260-15) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.108.104] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: 8/spam-8hnRkMDQmj4E.gz, Message-ID: <foobar@bla.com>, mail_id: 8hnRkMDQmj4E, Hits: 9its: 7.772, size: 8343, 6229 ms
Apr 28 16:36:12 servername amavis[14260]: (14260-20) Blocked SPAM {DiscardedInbound,Quarantined}, [185.140.110.64] <xxx@yyy.com> -> <aaa@bbb.com>, quarantine: J/spam-JAzp8lAdYrqB.gz, Message-ID: <foobar@bla.com>, mail_id: JAzp8lAdYrqB, Hits: 18.228, size: 4938, 4849 ms
Как видите, письма приходят с разных, но похожих IP-адресов. В этом примере из 185.140.110.xxx и 185.140.108.xxx (или 185.140.110.0/24 и 185.140.108.0/24 в синтаксисе netmask).
Fail2ban хорош в определении строк журнала с идентичных IP-адресов, но здесь у нас все разные адреса, но все из нескольких небольших диапазонов.
Есть ли способ указать fail2ban смотреть не на одинаковые IP-адреса, а на диапазоны?
Я хочу, чтобы fail2ban блокировал все IP-адреса от 185.140.110.0 до 185.140.110.255, как только он обнаруживает 3 строки с IP-адресами в этом диапазоне в течение нескольких часов.