New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Blocking IP CIDR
Charles_In_IT
Member
in Help
Hopefully you technical gurus can answer this one for me...?
I have been using this site: https://bgp.he.net/ to lookup CIDR of IPs Fail2Ban has blocked and inturn block the entire CIDR.
When it lists, for example:
AS35104 IRR Parent Valid ROA Signed and Valid
217.196.26.0/23 "Kaztranscom" JSC
AS35104 IRR Valid ROA Signed and Valid
217.196.26.0/24 "Kaztranscom" JSC
Would I block BOTH 217.196.26.0/23 AND 217.196.26.0/24, or would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?
But then why would it list both? Is it because the IP is still within both subnets?
Thanks for the clarification!
Comments
/23 covers both
most specific wins
some networks only see /23 .
yes
217.196.26.0/23 also includes 217.196.26.0/24.
Because AS35104 is announcing 217.196.26.0/23 and 217.196.26.0/24 via BGP into global routing table.
This is probably not the best approach.
Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.
Anyways, I'd use the /24. You want to do the smallest size possible so you don't spread your net too far.
However, the /23 would encompass the /24 and another /24.
check this subnet calculator if you want to learn more
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
Ahhh thanks guys for the clarification. As I suspected the lower number, or /23 in this case, should suffice. Been wondering that for a couple years, and decided to ask!
Yea, if the subnet belonged to a valid entity, but if it's to a spam company or country, I have no problem banning them for life! LOL
Happy banning!
If you think it is a spamming company, and just want there whole ASN nulled there are easier options.
And what would that be...??? The suspense is killin me...
The link you sent me: https://asn.ipinfo.app/AS36352
Is not any different than the URL I provided in the OP.
HE is transparent, unlike the link you provided which is provided by who, ColoCrossing?
Are you a mole? LOL
What are you even asking?
My reply was about the DM you sent me:
AS36352 = ColoCrossing
Yes...
and here is HE.net's https://asn.ipinfo.app/AS6939.
and here is one from your original post: https://asn.ipinfo.app/AS35104.
I still do not grasp your post or what you are asking.
LOL I thought it was pretty straight forward:
Other people understood without issue, and answered already, before your spam/fluff.
Toodles then.