Is it possible to monitor subnet instead of IP`s?

Hello,
I have in logs (i place only interesting lines):
Dec 30 11:07:31 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:09:32 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:10:51 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:12:01 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.187]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:15:31 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.67]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:16:17 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.211]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:18:32 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.11]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:20:21 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.77]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:22:33 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.166]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:23:55 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.228]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Dec 30 11:20:35 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.25 port XXXXXX ssh2
Dec 30 11:22:55 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.189 port XXXXXX ssh2
Dec 30 11:25:12 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.121 port XXXXXX ssh2
Dec 30 11:26:21 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.111 port XXXXXX ssh2
Dec 30 11:28:58 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.78 port XXXXXX ssh2
Dec 30 11:31:47 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.211 port XXXXXX ssh2
Dec 30 11:33:55 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.56 port XXXXXX ssh2
Dec 30 11:37:11 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.45 port XXXXXX ssh2

Because the attempts come from different ip addresses (but same subnet), in most cases the IP addresses are not repeated in an interval of 10 or 20 minutes they cant hit the trigger and the filters skips them.
Is it possible to monitor the subnet and ban the entire subnet (yyy.192.246.0/24 and zzz.147.4.0/24) after X attempts from subnet different ip addresses? And how?

Thank you! :slight_smile:

Hello @similar !

Yes, you can have scenario that targets ranges, AS or even countries if you want :slight_smile:

An example might be How to beat application DDoS attacks with CrowdSec & Cloudflare - The open-source & collaborative IPS where you can find scenarios that are applying remediation against other things that simple IPs.

Hope this helps,

Still trying to find a way to convert %{IP} from aaa.bbb.ccc.ddd to aaa.bbb.ccc.0/24…

Oh, there is currently no helper to do this, using the range that is enriched by geolocalisation wouldn’t do the trick for you ?

The enriched range by geolocalization is the full address range (from which the attacker is) but I don’t want to ban the whole range.
Often attacks are carried out by, for example, Amazon AWS leased server with a class C network, which is in the address space of the provider, sometimes with a mask / 16 or greater like 50.16.0.0/15 ot 23.20.0.0/14. In this case, all of this network will be cut off. The idea is to ban / 24 part of the network from which the attack is carried out, as in my example - all addresses are from the same class C network, which is part of a larger / 16 network.

1 Like

Great idea, I opened an issue for this : Improvement/Ability to take action against a range that is *not* the IP's official range · Issue #1152 · crowdsecurity/crowdsec · GitHub

Not too tricky to implement hopefully :slight_smile: