←back to thread

Ban me at the IP level if you don't like me

(boston.conman.org)
597 points classichasclass | 1 comments | 25 Aug 25 04:23 UTC | HN request time: 0.209s | source
Show context
Jnr ◴[25 Aug 25 09:41 UTC] No.45012032[source]
Externally I use Cloudflare proxy and internally I put Crowdsec and Modsecurity CRS middlewares in front of Traefik.

After some fine-tuning and eliminating false positives, it is running smoothly. It logs all the temporarily banned and reported IPs (to Crowdsec) and logging them to a Discord channel. On average it blocks a few dozen different IPs each day.

From what I see, there are far more American IPs trying to access non-public resources and attempting to exploit CVEs than there are Chinese ones.

I don't really mind anyone scraping publicly accessible content and the rest is either gated by SSO or located in intranet.

For me personally there is no need to block a specific country, I think that trying to block exploit or flooding attempts is a better approach.

replies(2): >>45012108 #>>45012678 #
poisonborz ◴[25 Aug 25 09:52 UTC] No.45012108[source]
Crowdsec: the idea is tempting, but giving away all of the server's traffic to a for-profit is a huge liability.
replies(1): >>45012667 #
1. Jnr ◴[25 Aug 25 11:26 UTC] No.45012667[source]
You pass all traffic through Cloudflare. You do not pass any traffic to Crowdsec, you detect locally and only report blocked IPs. And with Modsecurity CRS you don't report anything to anyone but configuring and fine tuning is a bit harder.