I believe the apache blocklist is mainly static data.
Take a look at this chart:
http://iplists.firehol.org/?ipset=block ... apache#age
About 85% of it does not expire. Never.
Check also the list's retention policy at:
http://iplists.firehol.org/?ipset=block ... #retention
Most of the IPs passing through the list do expire in logical durations.
But not this 85% that is currently listed.
Check also the age of IPs in all.txt here:
http://iplists.firehol.org/?ipset=blocklist_de#age
Around half of it is also stale.
On Jan 6, 2016 the following were added to apache.txt (and are still listed).
Here in CIDR notation (I grouped them to CIDRs to limit the size of the post):
Code: Alles auswählen
5.9.25.65
5.9.25.66/31
5.9.25.68/30
5.9.25.72/29
5.9.25.80/30
5.9.25.84/31
5.167.64.0/21
46.118.112.135
50.7.240.10
77.109.139.87
82.221.99.224/28
91.215.155.32
95.134.130.182
95.141.17.0/24
95.143.192.159
96.44.142.250
96.47.224.42
96.47.225.0/24
108.62.56.0/21
113.212.69.0/24
113.212.70.0/24
173.234.225.0/24
173.234.226.0/23
176.9.219.38
176.100.75.27
176.221.42.32
178.137.16.0/24
188.95.234.6
188.143.232.1
188.143.232.2/31
188.143.232.4/30
188.143.232.8/29
188.143.232.16/28
188.143.232.32/27
188.143.232.64/26
188.143.232.128/25
188.143.233.0/24
188.143.235.21
192.251.226.0/25
192.251.226.128/26
192.251.226.192/27
192.251.226.224/28
192.251.226.240/29
192.251.226.248/30
192.251.226.252/31
192.251.226.254
194.71.223.0/24
194.71.224.0/23
195.254.134.10
195.254.134.194
216.151.130.0/24
216.151.137.0/24
216.151.138.0/24
216.152.249.0/24
216.152.252.0/24
8.989 of these IPs were added to all.txt on Mar 8, 2016.
My data show that on Mar 8, all.txt was somehow reset - at 07:10 GMT was listing 70.000 unique IPs, then at 07:42 went down to 55.000 IPs and a few minutes later went back to 70.000 IPs.
So, most probably these data were listed in all.txt before Mar 8.
Similarly, on Jan 6, apache.txt was reset - at 17:28 GMT was listing 18.500 unique IPs, then at 17:56 was listing 614 IPs, then at 18:14 was back to 18.500 IPs.
So, most probably these data are there for a long time before Jan 6.
To my understanding, apache.txt is mainly static data.
It does not come from a fail2ban process.
You have blacklisted all these IPs permanently.
Regards,
Costa