Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Blocking IP CIDR
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Blocking IP CIDR

    Hopefully you technical gurus can answer this one for me...?

    I have been using this site: https://bgp.he.net/ to lookup CIDR of IPs Fail2Ban has blocked and inturn block the entire CIDR.

    When it lists, for example:
    AS35104 IRR Parent Valid ROA Signed and Valid
    217.196.26.0/23 "Kaztranscom" JSC
    AS35104 IRR Valid ROA Signed and Valid
    217.196.26.0/24 "Kaztranscom" JSC

    Would I block BOTH 217.196.26.0/23 AND 217.196.26.0/24, or would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?

    But then why would it list both? Is it because the IP is still within both subnets?

    Thanks for the clarification!

    Comments

    • hzrhzr Member, Moderator

      /23 covers both

      most specific wins

      some networks only see /23 .

    • yes

      lurking in the shadows like a wombat or some shit

    • dfroedfroe Member, Provider

      Charles_In_IT said: would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?

      217.196.26.0/23 also includes 217.196.26.0/24.

      Charles_In_IT said: But then why would it list both?

      Because AS35104 is announcing 217.196.26.0/23 and 217.196.26.0/24 via BGP into global routing table.

      IT-Service David Froehlich | Individual network and hosting solutions | AS39083 | RIPE LIR services (IPv4, IPv6, ASN)

    • This is probably not the best approach.

      Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

      Anyways, I'd use the /24. You want to do the smallest size possible so you don't spread your net too far.

      However, the /23 would encompass the /24 and another /24.

    • emreemre Member

      check this subnet calculator if you want to learn more

      http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

      IP address  217.196.26.0
      class   C
      type    PUBLIC
      network 217.196.26.0
      bitmask 23
      netmask 255.255.254.0
      wildcardmask    0.0.1.255
      host range  217.196.26.1-
      217.196.27.254
      broadcast address   217.196.27.255
      total IP addresses  510
      
      
    • Ahhh thanks guys for the clarification. As I suspected the lower number, or /23 in this case, should suffice. Been wondering that for a couple years, and decided to ask!

      @AlyssaD said:
      This is probably not the best approach.

      Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

      Yea, if the subnet belonged to a valid entity, but if it's to a spam company or country, I have no problem banning them for life! LOL

      Happy banning!

    • @Charles_In_IT said:
      Ahhh thanks guys for the clarification. As I suspected the lower number, or /23 in this case, should suffice. Been wondering that for a couple years, and decided to ask!

      @AlyssaD said:
      This is probably not the best approach.

      Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

      Yea, if the subnet belonged to a valid entity, but if it's to a spam company or country, I have no problem banning them for life! LOL

      Happy banning!

      If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

    • @AlyssaD said:
      If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

      And what would that be...??? The suspense is killin me...

    • @AlyssaD said:
      If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

      The link you sent me: https://asn.ipinfo.app/AS36352
      Is not any different than the URL I provided in the OP.
      HE is transparent, unlike the link you provided which is provided by who, ColoCrossing?
      Are you a mole? LOL

    • @Charles_In_IT said:
      [..] unlike the link you provided which is provided by who, ColoCrossing?

      What are you even asking?

    Sign In or Register to comment.