I found my notes on fail2ban-subnets on the wiki "talk" page: https://wiki.koozali.org/Talk:Fail2ban
Roger - got it.
Blimey that script is a bit kludgy, and I can barely read python, let alone write it!
So the normal process for F2B (correct me if I am wrong)
Read/Execute jail.conf
Read/Execute filter on log file
Read/Execute action smeserver-iptables with results
The problem here is the subnet python script tries to execute iptables itself - not good. It could almost be a totally standalone system.
So trying to work this through.
First - we don't need .local dirs - just use the existing ones.
We don't need the action script. We need to use the smeserver-iptables one.
The fail2ban-subnets.py file should really parse the required fail2ban logs, find the requisite subnets and write them to a subnet log which can then be processed by the filter file and F2B itself for banning by the smeserver-iptables action(I think) - that can be done on a cron with the script in say /usr/local/bin
Currently when it runs it doesn't really do anything as it is trying to add to a iptable that does not exist and that is because SME handles the tables itself, as above.
So it never gets past the initial logger message:
logger.info("started with an analysis over %s" % human_readable_time(findtime))
I also can't see where else it actually logs the guilty subnets!!
Anyway, the filter script should have a filter that takes the subnets in the log and then adds them via the smeserver-iptables action.
Currently the filter just tells you what is in the subnet.log file - it does nothing really! Check say the recidive filter or similar for comparison.
So IMHO it really needs some rewriting. I could probably do it in perl (I already have some other perl subnet stuff kicking about), but not python
Further reading:
https://github.com/fail2ban/fail2ban/issues/927https://unix.stackexchange.com/questions/181114/how-can-i-teach-fail2ban-to-detect-and-block-attacks-from-a-whole-network-blockhttps://github.com/fail2ban/fail2ban/issues/2261(Not sure if you meant this on the wiki!!:)
Test
cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py << with perl ?? !!
Let me know your thoughts - be interested to look at this if we can get something workable, but note it can be dangerous if you ban a big range!!
I can't do much else myself right now as I have been off work with my gammy back for over a week and so I'm waaaaaaaaay behind. But happy to look at anything you might conjure up.
E&OE