Found the solution to my problem. Findtime was to short.

I set it to one year and it put all the IP blocks in the chain. Its not really a solution since in one year it will be skipping them again.

 

How do I suggest a feature to have findtime -1, like bantime?

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I created a jail for CBLOCKS and although regex test pass not all IPs are added to CHAIN.

Here are the details.

 

 

Created a filter /etc/fail2ban/filter.d/ip-blacklist.conf

# Fail2Ban Configuration File
#
# ip-blacklist.conf
#
# Author: Tom Keyser
# Revision: 2014-04-19
#
# Use this to read ip.blacklist and handle the CBLOCKs
#
# this is the format od the records in ip.blacklist
#dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0 # comment why its blocked #16-04-2014 00:00:01 - 5.10.83.0 # static.reverse.softlayer.com
#16-04-2014 00:00:01 - 180.76.6.0 #  baiduspider


[Definition]
failregex =     ^ - .*$

ignoreregex =

 

 

Also created an action definition to block all /24

/etc/fail2ban/action.d/iptables-allports24.conf


[INCLUDES]

before = iptables-blocktype.conf


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I -p -j fail2ban-

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban- 1 -s /24 -j

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban- -s /24 -j

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

Here is the Jail defined

[blacklist24]
#blacklist all ports, all protocols, for entire CBLOCK
enabled  = true
filter   = ip-blacklist
action   = iptables-allports24[name=BLACKLIST24, protocol=all]
# this file holds all the CBLOCKS we want to block
logpath  = /etc/fail2ban/ip.blacklist.v2
maxretry = 0
# find also slow bots that try to hide in the log files
findtime = 432000
# forever
bantime  = -1

 

Here is the file to filter

/etc/fail2ban/ip.blacklist.v2

dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0  # comment why its blocked 16-04-2014 00:00:01 - 5.10.83.0  # AhrefsBot
16-04-2014 00:00:01 - 180.76.6.0  #  baiduspider
16-04-2014 00:00:01 - 180.76.5.0  #  baiduspider
16-04-2014 00:00:01 - 183.207.228.0  # china
16-04-2014 00:00:01 - 123.125.71.0  #  baiduspider
18-04-2014 00:00:01 - 220.181.108.0  #  baiduspider
18-04-2014 00:00:01 - 119.63.196.0  # Baiduspider-image+
19-04-2014 00:00:01 - 116.10.191.0  # china - ssh brute force attempts
20-04-2014 00:24:01 - 123.125.68.0  #  baiduspider
20-04-2014 17:21:01 - 64.94.179.0  # lots of portscans from this block so lets make the block perm
20-04-2014 21:02:01 - 69.25.172.0  # lots of portscans from this block so lets make the block perm

 

Here is the results of the regex test

fail2ban-regex -v /etc/fail2ban/ip.blacklist.v2 /etc/fail2ban/filter.d/ip-blacklist.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/ip-blacklist.conf
Use         log file : /etc/fail2ban/ip.blacklist.v2


Results
=======

Failregex: 11 total
|-  #) [# of hits] regular expression
|   1) [11] ^ - .*$
|      5.10.83.0  Wed Apr 16 00:00:01 2014
|      180.76.6.0  Wed Apr 16 00:00:01 2014
|      180.76.5.0  Wed Apr 16 00:00:01 2014
|      183.207.228.0  Wed Apr 16 00:00:01 2014
|      123.125.71.0  Wed Apr 16 00:00:01 2014
|      220.181.108.0  Fri Apr 18 00:00:01 2014
|      119.63.196.0  Fri Apr 18 00:00:01 2014
|      116.10.191.0  Sat Apr 19 00:00:01 2014
|      123.125.68.0  Sun Apr 20 00:24:01 2014
|      64.94.179.0  Sun Apr 20 17:21:01 2014
|      69.25.172.0  Sun Apr 20 21:02:01 2014
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [11] Day-Month-Year Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0]
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 12 lines, 0 ignored, 11 matched, 1 missed
|- Missed line(s):
|  dd-mm-yyyy 00:00:01 - xxx.xxx.xxx.0  # comment why its blocked `-

Here is what ends up in iptables CHAIN

Chain fail2ban-BLACKLIST24 (1 references)
target     prot opt source               destination
REJECT     all  --  64.94.179.0/24       anywhere            reject-with icmp-port-unreachable
REJECT     all  --  69.25.172.0/24       anywhere            reject-with icmp-port-unreachable
REJECT     all  --  220.181.108.0/24     anywhere            reject-with icmp-port-unreachable
REJECT     all  --  116.10.191.0/24      anywhere            reject-with icmp-port-unreachable
REJECT     all  --  123.125.68.0/24      anywhere            reject-with icmp-port-unreachable
REJECT     all  --  119.63.196.0/24      anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

 

Im puzzled why only 6 of the 11 IP blocks show up in the CHAIN??

Any assistance would be helpful.

Thanks in advance.