I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects.

BLKNSLVR 7 hours ago | parent | next [-]

I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24.

Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!

P.S. I wholeheartedly support your choice of blocking for your reasons.

	▲	kees99 6 hours ago \| parent [-]
		> bunch of organisations that just probe the entire IPv4 range on a regular basis Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up: https://raw.githubusercontent.com/UninvitedActivity/Uninvite... #2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright.

▲

lxgr 6 hours ago | parent | prev [-]

Sounds like a great idea until you ever try to connect to your own servers from a network with spammy neighbors.

	▲	kees99 5 hours ago \| parent \| next [-]
		Back in the day - port knocking was a perfect fit for this eventuality. Nowadays, wireguard would probably be a better choice. (both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")
	▲	BLKNSLVR 5 hours ago \| parent \| prev [-]
		Good network admins have contingencies for contingencies for contingencies.